AD-AIOO  720  TRN  DEFENSE  AND  SPACE  SYSTEMS  SROUF  HUNTSVILLE  ALA  F/6  9/2 

APPLICABILITY  OF  SREM  TO  THE  VERIFICATION  OF  MANAGEMENT  INFORMA-^TC  (UI 
APR  81  R  P  L0SHB0U6H*  M  H  ALFORO*  J  T  LAVSON  DAHC26-80-C-0020 
UNCLASSIFIED  TRIll(-37554-6950-001-VOL-l  NL 


DTIC  HLE  COPY 


..  o 


37554-6950-001 


■V.  ■ 

o 


pH 


APPLICABILITY  OF  SREM  TO  THE  VERIFICATION 
OF  MANA6EMENT  INFORMATION  SYSTEM 
SOFTWARE  REQUIREMENTS 

FINAL  REPORT 
Volume  I 


CDRL  AQ02 


30  APRIL  1981 


Prepared  For 

U.S.  Army  Institute  For  Research  and 
Management  Information  Computer  Science 


DAHC26-80-C-0020 


TRIV 


otntnu  AMO  SAHKt  srsTems  omoum 
HurrtsvWc,  Aiabanta 


Tina  vicK’urnr’')!  ha»  boon  appiOT«d 
for  pii'olx  reV?asa  cnvd  acila;  Ut 
ciis*rih'jtion  in  nnliinited- 


8  1  r>  07  029 


T  R  Iv' -37554-6950-001-1/ 


r 

i  APPLICABILITY  OF  MUTO  THE  VERIFICATION 
I  OF  MANAGEMEn^RMATION  SYSTEM 

SOFTWARE  REQUIREMENTS,  ^  J- 

f  FINAL  REPSfir., 

Volume  I 


CDR1.A002  //  30  APRIL  1981 

lO  hi  j/j /fa h  J 

Z^/Y./Z/Vz 


Prepared  For 

U.S.  Army  institute  For  Research  and 
Management  Information  Computer  Science 


DAHC26-80-C-0020 


TRW 

OfftNSf  AMO  S^ACt  SYSTg.^S  GAOUA 

HurtsvH(e»  Alabama 


^  V 


m 


APPLICABILITY  OF  SREfI  TO  THE  VERIFICATION 
OF  I'WNAGEHEHT  INFORMATION  SYSTEM 
SOFTWARE  REQUIREMENTS 

FINAL  REPORT 
VOLUME  I 


CDRL  A002 


Principal  Authors: 

R.  P.  Loshbough 

Contributing  Authors:  . 

M.  W.  Alford 
J.  T.  Lawson 
0.  M,  Sims 
T,  R.  Johnson 
T.  W.  Thomas 

Edi tor: 


30  APRIL  1981 


R.  W.  Godman,  Manager 
Huntsville  Laboratory 


B.  B.  Bird 


prepared  For 

Army  Institute  for  Research  and 
Management  Information  Computer  Science 


Under  Contract 
0AHC26-8O  .C-0020 


A 


TRW 


iii 


TABLE  OF  CONTENTS 


Section  Title  Page 

1.0  INTRODUCTION . 1-1 

1.1  SCOPE  AND  APPROACH  OF  THE  SREM  APPLICATION . 1-2 

1.2  SUMMARY  OF  RESULTS . 1-4 

1.3  OVERVIEW  OF  THIS  REPORT . 1-6 

2.0  THE  TRW  SOFTWARE  REQUIREMENTS  ENGINEERING  METHODOLOGY  .  .  2-1 

2.1  PURPOSE  AND  BACKGROUND  OF  SREM . 2-2 

2.2  ■  SREM  OVERVIEW . 2-4 

2.3  THE  NEW  PERSPECTIVE  OF  SREM . 2-5 

2.4  RANGE  OF  SREM  ACTIVITIES . 2-9 

2.5  SREM  DEVELOPMENT  CONSIDERATIONS  .  2-10 

2.6  PRINCIPAL  COMPONENTS  OF  SREM . 2-12 

2.6.1  The  Requirements  Statement  Language  (RSL)  .  2-12 

2.6.2  The  Requirements  Engineering  and  Validation 

System  (REVS)  .  2-15 

2.6.3  The  Application  Methodology  .  2-21 

2.7  SPECIFICATION  MANAGEMENT . 2-27 

2.7.1  Management  Planning  and  Control  .  2-27 

2.7.2  Review  and  Analysis . 2-29 

2.7.3  Partial  List  of  Prespecified  RADX  Tests  .  .  2-30 

2.7.4  Requirements  Data  Base  Documentation.  .  .  .  2-32 

2.7.5  Assessing  the  Impact  of  Requirements 

Changes . 2-35 

2.7.6  Software  Test  Planning . 2-36 

2.8  MAINFRAME  REVS  SOFTWARE  CONFIGURATIONS . 2-39 

2.8.1  REVS  Source . 2-39 

2-8.2  TRW  PASCAL  Development  System  .  2-39 

2.8.3  Data  Base  Control  System  (DBCS) . 2-40 

2.8.4  Compiler  Writing  System  (CWS)  .  2-40 

2.8.5  Ancillary  Files . 2-40 

2.8.6  BMDATC  ARC  Installation . 2-40 

2.8.7  TRW  DSSG  Installation . 2-41 

2.8.8  NADC  Installation .  ....  2-41 

2.9  REVS  IMPLEMENTATION  ON  THE  DEC  VAX  11/780  .  2-42 


V 


PAiJ* 


blank -NOT 


TABLE  OF  COMTENTS  (Continued) 

Section  Ti t1 e  Page 


3.0  DESCRIPTION  OF  THE  SREM  APPLICATION  TO  THE  MOM  OFSR  ...  3-1 

3.1  INTRODUCTORY  REMARKS.  . . 3-1 

3.2  SCOPE  OF  THIS  EFFORT . 3-2 

3.2.1  Approach  to  Overcoming  Delays  Caused  by 

the  High  Error  Count .  3-2 

3.2.2  Approach  to  Overcoming  the  High  Input 

MESSAGE  Count .  3-3 

3.2.3  Impact  of  the  Selected  Approaches .  3-6 

3.3  DEVELOPMENT  OF  INTERFACE  ELEMENTS .  3-7 

3.3.1  Subsystem  Definition  .  3-8 

3.3.2  Interface  Definition  .  3-9 

3.3.3  MESSAGE  Definition  .  3-9 

3.4  DEVELOPMENT  OF  GLOBAL  DATA .  3-23 

3.5  DEVELOPMENT  OF  REQUIREMENTS  NETS  (RJET) .  3-31 

3.5.1  R_NET  Considerations .  3-31 

3.5.2  E7ample  of  an  R  NET  Development .  3-35 

3.5.3  Definition  of  SUBNET  Processing  .  3-37 

3.5.4  Reason  for  Liberal  Use  of  SUBNETs  ....  3-40 

3.5.5  Development  of  the  ALPHA  Description 

Sheet .  3-41 

3.5.6  Entry  of  R  NETs  and  SUBNETS  Into  the 

Requiremen'Fs  Data  Base .  3-43 

3.5.7  R_NETs  as  Source  of  Trouble  Reports  .  .  .  3-44 

3.6  DEVELOPMENT  OF  TRACEABILITY .  3-45 

3.7  EVALUATION  USING  RADX .  3-50 

3.7.1  The  Premise  of  RADX  Use .  3-50 

3.7.2-’  RADX  Approach .  3-51 

3.8  ANALYSIS  OF  THE  SREM  APPLICATION  EFFORT .  3-68 

4.0  RESULTS  OF  SREM  APPLICATION .  4-1 

4.1  DESCRIPTION  OF  TROUBLE  REPORTS  .  4-2 

4.1.1  Trouble  Report  Format  .  4-2 

4.1.2  Entry  of  Trouble  Reports  into  the 

Requirements  Data  Base .  4-4 

4.1.3  RADX  Support  of  Management  Review  of 

Trouble  Report .  4-6 


vi 


TABLE  OF  CONTENTS  {Continued) 

Section  Title  Page 


4.2  EVALUATION  OF  DISCREPANCIES .  4-8 

4.2.1  DLT  Considerations .  4-8 

4.2.2  R  MET  Contribution  to  Identification  of 

DCT  Deficiencies .  4-10 

4.2.3  Special  SREM  Procedures  to  Assure 

Unambiguous  DATA  Naming .  4-10 

4.2.4  Identification  of  Consistency  Problems  via 

RSL  and  RADX .  4-12 

4.2.5  Identification  of  Consistency  Problems  by 

Observation .  4-14 

4.2.6  Identification  of  Problems  by  RADX  ....  4-14 

4.2.7  Summary  of  Deficiency  Finding .  4-15 

4.3  MAJOR  MOM  DFSR  PROBLEMS .  4-23 

4.3.1  Failure  to  Initiate  Certain  Batch 

Processing  Output  Reports .  4-24 

4.3.2  Failure  to  Use  the  Parameter  Report 

Controls .  4-25 

4.3.3  DABS  Production  and  Use  Inconsistencies.  .  4-25 

4.3.4  Work  Order  Number  Character  Field 

Confusion. . 4-27 

4.3.5  Lack  of  File  Purge  Instructions .  4-28 

4.3.6  Missing  File  Contents .  4-28 

4.3.7  Significant  Quantities  of  Individually 

Minor  Deficiencies .  4-28 

4.4  FINDINGS  OF  SREM  PHASE  RADX  RUNS .  4-30 

4.5  REGENERATION  OF  REQUIREMENTS  .  4-31 

5.0  A  SYSTEMS  ENGINEERING  APPROACH  TO  THE  EVALUATION  OF 

REQUIREMENTS  METHODOLOGIES  .  5-1 

5.1  TECHNICAL  COMPARISON  OF  SREM  TO  OTHER  TECHNIQUES.  .  5-2 

5.2  THE  SYSTEM  ENGINEERING  APPROACH  FOR  EVALUATION.  .  .  5-6 

5.3  THE  COST  OF  FIXING  ERRORS  VERSUS  VERIFICATION  COSTS  5-13 

5.4  SOFTWARE  REQUIREMENTS  METHODOLOGY  EVALUATION.  .  .  .  5-15 

5.5  CONCLUSIONS . 5-18 

6.0  ASSESSMENT  AND  RECOMMENDATIONS . 6-1 

6.1  APPLICABILITY  OF  SREM  TO  ARMY  MANAGEMENT 

INFORMATION  SYSTEMS  .  6-1 

vi  1 


A 


TABLE  OF  CONTENTS  (Continued) 


Section  T i t1 e  Page 

6.2  SREM  APPLICATION  TO  TYPICAL  MANAGEMENT  INFORMATION 

SYSTEMS . 6-3 

6.2.1  CV-ASWM  Application . 6-3 

6.2.2  NAVDAC  Application . 6-4 

6.2.3  IHAWK/TSQ73 . 6-8 

6.3  SREM  ENHANCEMENTS . 6-13 

6.4  A  COMPLEMENTARY  TOOL  FOR  SREM . 6-14 

6.5  SUMMARY . 6-18 

6.6  RECOMMENDATIONS  .  . 6-20 


vi  i  i 


TABLE  OF  ILLUSTRATIONS 


Figure  T i t1 e  Page 

1- 1  The  Seven  Phases  of  SREM  Engineering  Activity  .  1-3 

2- 1  The  Penalty  of  Requirements  Errors . 2-2 

2-2  An  Elementary  R_NET . 2-6 

2-3  Use  of  AMD  Modes  in  RJIETs . 2-7 

2-4  Use  of  OR  Nodes  in  R_NETs . 2-8 

2-5  Sample  R_N£T  Structure  in  Graphical  and  RSL  Form . 2-14 

2-6  REVS  Functional  Organization . 2-22 

2-7  The  SREM  Methodology  Process . 2-23 

2-8  Relationship  of  Methodology  Steps  in  Phase  1  of  SREM.  .  .  2-28 

2-9  Partial  List  of  Prespecified  RAOX  Tests . 2-30 

2-10  Engine  Monitoring  System . 2-31 

2-11  Typical  REVS-Produced  Documentation  .  2-33 

2-12  Typical  CALCOMP  Plot . 2-34 

2- 13  Determination  of  Software  Test  Requirements  .  2-37 

3- 1  Interface  Element  Interrelationships . 3-8 

3-2  Hierarchical  Definition  of  the  MESSAGE: 

WRK  -ORD  -REG  I STRAT I  ON  -0  ATA-MSG-  IN . 3-10 

3-3  Hierarchical  Definition  of  the  Output  MESSAGE: 

FLOAT_STATUS_REPORT_MSG_OUT . 3-13 

3-4  Format  for  the  Work  Center  Summary  Report . 3-14 

3-5  Hierarchical  Definition  of  the  Output  MESSAGE: 

WORK-CENTER_SUMMARY_MSG_OUT . 3-15 

3-6  Format  for  the  Equipment  Recall  Schedule  Report . 3-17 

3-7  Hierarchical  Definition  of  the  Output  MESSAGE: 

EOUIP_RECALL_SCHEDULE_HEADER_MSGJ]UT . 3-1 

3-8  Hierarchical  Definition  of  the  Output  MESSAGE: 

EgUIPMENT_RECALL_SCHEDULE_MSG_OUT . 3-18 

3-9  GLOBAL  DATA  and  FILE  Interrelationships . 3-24 

ix 


■feMiMMiii 


111 


TABLE  OF  ILLUSTRATIONS  (Continued) 

Figure  Title  Page 

3-10  Hierarchical  Definition  of  the  ENTITY  CLASS: 

CROSS_REFERENCE_FILE . 3-29 

3-11  Examples  of  a  SELECT  and  FOR  EACH  Node . 3-30 

3-12  R_NET  Interrelationships . 3-33 

3-13  The  Two  Kinds  of  OR  Nodes . 3-35 

3-14  RJIET,  SUBNET  Symbology  .  3-36 

3-15  RJET:  PROC£SS_MOMJ<EYBOAROJNPUT  (NET  RTIOOO) . 3-37 

3-16  SUBNET:  PROCESSJMAJNTRY  (NET  AlOOO) . 3-38 

3-17  SUBNET:  PROCESS_XMA_A  (NET  AlOOl) . 3-39 

3-18  ALPHA  Description  Sheet  for  the  SUBNET:  PROCESS_XMA_A.  .  3-42 

3-19  RSL  Listing  of  the  Structure  for  SUBNET:  PROCESS_XMA_A  .  3-43 

3-20  RSL  Definition  of  the  ALPHAs  in  SUBNET:  PROCESSJ(MA_A.  .  3-44 

3-21  Traceability  Interrelationships  .  ....  3-46 

3-22  Excerpt  for  Chapter  4  of  the  DFSR  Showing  ORIGINATING 

REQUIREMENTS . “  .  3-46 

3-23  Hierarchy  for  INPUT  INTERFACE  .  3-58 

3-24  CALCOMP  Plot  of  SUBNET:  PROCESS_XMA_A . 3-61 

3- 25  Conditional  Expressions  for  the  CALCOMP  Plot  for  SUBNET: 

PROCESS_XMA_A . 3-62 

4- 1  AIRMICS  Trouble  Report  Form  .  4-3 

4-2  RSL  Extensions  to  Support  Trouble  Report  Entries . 4-5 

4-3  RADX  Checks  for  Incomplete  Trouble  Reports . 4-7 

4-4  Decision  Logic  Table  319.  . . 4-9 

4-5  Distribution  of  MOM  DFSR  Deficiencies . 4-1'' 

4-6  Components  of  CATEG0RY_0F_PR08LEM:  Inconsistent . 4-18 

4-7  Components  of  the  CATEG0RY_0F_PR0BL£M:  Ambiguous  ....  4-19 

X 


TABLE  OF  ILLUSTRATIONS  (Continued) 

Figure  Title  Page 

4-8  Components  of  the  CATEGORY_OF_PROBLEM:  Missing  .  4-20 

4-9  Components  of  the  CATEG0RY_0F_PR0BLEM:  niogical  ....  4-21 

4- 10  Components  of  the  CATEG0RY_0F_PR0BLEM;  Incomplete.  .  .  .  4-22 

5- 1  Methodology  Evaluation  Starting  Point  .  5-7 

5-2  Fault  Tolerant  Version . 5-8 

5-3  Further  Decompositions  are  Methodology/Tool  Specific.  .  .  5-10 

5-4  Cost  of  Requirements . 5-12 

5- 5  Example  Analysis . 5-14 

6- 1  Illustration  of  Sequential  MESSAGE  Output  Using  Non- 

Terminating  OUTPUTJNTERFACEs . 6-9 

6-2  Event  Logic  Trees,  The  Basic  for  Automated  Analysis  .  .  .  6-17 


LIST  OF  TABLES 


Table  Ti tl e  Page 

2.1  Current  Nucleus  of  Defined  RSL  Elements,  Relationships 

and  Attributes . 2-15 

2.2  MOM  DSARC  Extended  RSL  Elements,  Relationships,  and 

Attributes . 2-16 

3.1  RSL  Definitions  Used  in  the  Development  of  Interface 

Elements . 3-7 

3.2  SUBSYSTEMS  Identified  in  the  M0M_DFSR  .  3-8 

3.3  Comparison  of  Annex  A  Input  Descriptions  and  Equivalent 

RSL  MESSAGE  Names . 3-11 

3.4  Comparison  of  Annex  B  Output  Description  and  Equivalent 

RSL  MESSAGE  Names . 3-19 

3.5  RSL  Definitions  Used  in  the  Development  of  ENTITY  CLASSes 

and  ENTITY_TYPE . .  3-24 

3.6  Comparison  of  Annex  D  Files  and  Equivalent  RSL  ENTITY 

CLASSes  and  ENTITY_TYPEs . .  3-26 

3.7  RSL  Definitions  Used  in  the  Development  of  R_NETS  ....  3-32 

3.8  RSL  Definitions  Used  in  the  Development  of  Traceability  .  3-45 

3.9  RAOX  Relational  Operators . 3-54 

3.10  RAOX  Positive  and  Negative  Connectors  .  3-55 

3.11  Append_Item  List . 3-60 

3.12  SREM  Phase  1  RAOX  Checks . 3-64 

3.13  SREM  Phase  2  RAOX  Checks . 3-64 

3.14  SREM  Phase  3  RADX  Checks . 3-65 

3.15  SREM  Phase  4  RADX  Checks . 3-65 

3.16  SREM  Phase  6  RADX  Checks . 3-66 

3.17  SREM  Task/Time  Allocation . 3-68 

4.1  Periodic  Output  Message  Problem  .  4-26 

4.2  Daily  Accumulated  Batch  Storage  (DABS)  inconsistencies.  .  4-27 

5.1  A  Comparison  of  Some  Requirements  Techniques . 5-2 

xi  i  i 


PA^  BUNK -WOT 


Table 

5.2 
6.1 

6.2 

6.3 

6.4 


1 


LIST  OF  TABLES  (Continued) 

Title  Page 

Relative  Costs  on  Large  Projects . 5-15 

Description  of  Management  Information  Systems  to  Which 

SREM  Has  Been  Applied . .  6-2 

Survey  of  SREM  Applicability  to  NAVDAC  Applications  .  .  .  6-6 

SREM  Applicability  to  the  IHAWK/TSQ73  Application  ....  6-8 

Enhancements  Heeded  for  Various  SREM  Applications  to 

Systems  with  Characteristics  Similar  to  Management 

Information  Systems . . . .  6-12 


1.0  INTRODUCTION 


This  document  is  the  final  report  concernin)^  TRW's  demonstration  of 
the  application  of  the  Software  Requirements  Engineering  Methodology  (SREM) 
to  an  existing  Government  Detailed  Functional  System  Requirements  (DFSR), 
Document  under  Contract  DAHC26-80-C-0020,  and  is  submitted  in  accordance 
with  CDRL  A002.  It  was  prepared  for  the  Army  Institute  for  Research  an^ 
Management  Information  Computer  Science,  located  at  Georgia  Tech  — ^ 
University,  Atlanta,  Georgia.  It  documents  the  result  of  TRW's  application 
of  SREM  to  TM  38-L71-2,  Detailed  Functional  System  Requirement  (DFSR)  - 
Volume  IV,  Standard  Army  Maintenance  System  (SAMS)  -  Retail  Level, 
Maintenance  Operations  Management  (MOM),  ( SAMS-1 )r^  The  objective  of  this 
effort  was  to  demonstrate  the  power  of  SREM  as  a  tool  to  verify  a  software 
requirement,  with  the  goal  of  determining  the  extent  to  which  it  was  a 
complete,  consistent,  and  unambiguous  document.  Specifically,  the  intent 
was  to  attain  an  understanding  of  what  SREM  is,  how  it  is  used,  and  what 
capability  it  possesses  for  isolating  discrepancies  in  an  existing  software 
specification.  In  addition,  this  effort  was  intended  to  provide  the  basis 
for  assessing  the  potential  of  SREM  for  inclusion  as  a  tool  in  the  current 
Army  ADP-system  development  life  cycle. 

This  report  is  published  in  two  volumes.  Volume  I  contains  the  basic 
report  text,  while  Volume  II  contains  the  appendices  that  accompany  this 
report. 


1-1 


1.1  SCOPE  AND  APPROACH  OF  THE  SREM  APPLICATION 

SREM  includes  a  seven-phase  effort,  which  is  shown  pictorially  in 
Figure  1-1.  However,  the  SREM  effort  under  this  contract  was  limited  to 
Phases  1  through  4.  The  efforts  in  the  omitted  phases  involve  the  determi¬ 
nation  of  YALIDATION_POINTs  and  VALIDATION_PATHs  for  PERFORMANCE_ 
REQUIREMENTS  plus  two  simulation  phases  for  dynamically  checking  the  soft¬ 
ware  requirements. 

The  assessment  of  the  adequacy  of  the  MOM  DFSR  specification  was 
accomplished  utilizing  the  following  tasks: 

•  Definition  of  interface  elements 

•  Definition  of  stored  information 

•  Definition  of  processing  logic 

•  Definition  of  traceability 

•  Evaluation  using  the  Requirements  Analysis  and  Data 
Extraction  (RADX)  capability  resident  in  the  supporting 
software. 

Additional  tasks  accomplished  under  the  contract  included  a  description  of 
«  The  contents  and  application  of  SREM  and  its  components 

•  The  current  state  of  SREM  development 

•  The  applicability  of  the  current  SREM  approach  to 
Management  Information  Systems 

•  SREM  capability  versus  other  similar  techniques 

e  How  SREM  might  be  modified  to  improve  its  capability. 


1-2 


Figure  1-1  The  Seven  Phases  of  SREM  Engineering  Activity 


1.2  SUMMARY  OF  RESULTS 

The  power  of  the  use  of  SREM  to  discover  discrepancies  in  software 
specifications  was  confirmed  as  a  result  of  this  effort.  A  total  of  302 
Trouble  Reports  were  written  to  document  the  discrepancies  discovered  in 
the  logic  of  processing  outlined  in  Decision  Logic  Tables  (DLTs)  within  the 
MOM  OFSR,  and  in  their  data  consistency  when  compared  to  the  data  named  in 
Annexes  A,  B,  C  and  D.  Although  many  of  the  discrepancies  were  minor, 
there  were  several  significant  problems,  as  are  discussed  in  the  body  of 
the  report - 

Mo  concerted  attempt  was  made  to  determine  all  of  the  inconsistencies 
between  the  text  descriptions,  functional  flow  diagrams,  and  the  DLTs. 

These  internal  inconsistencies  were  quite  apparent,  and  a  few  have  been 
reported  via  Trouble  Reports.  However,  SREM  was  not  designed  to  harmonize 
these  kinds  of  problems.  Rather,  it  is  a  tool  to  investigate  the  logic  of 
the  processing  specified  in  the  context  of  the  inputs  received  and  the 
expected  outputs  produced  by  the  data  processor.  Accordingly,  the  SREM 
application  was  primarily  applied  to  the  most  detailed  available  informa¬ 
tion  concerning  processing  intent,  as  was  provided  by  the  DLTs. 

Although  there  are  some  enhancements  that  should  be  investigated  to 
aid  the  application  of  SREM  for  better  support  of  Management  Information 
Systems,  SREM  is  clearly  applicable  to  software  applications  of  this  type, 
and  can  be  applied  in  its  current  state. 

In  addition  to  its  proven  capability  as  a  verification  tool  for  an 
existing  software  specification  at  the  DFSR  level,  SREM  can  produce  an  even 
greater  positive  impact  on  software  development  if  the  DFSR-level  specifi¬ 
cation  is  actually  developed  from  the  system  level  software  requirements 
(presumably  the  General  Functional  Systems  Requirement  (GFSR)).  When 
applied  at  that  stage  of  development,  the  proposed  approach  can  easily  be 
communicated  and  understood.  Because  of  the  improved  communication  between 
the  developer  and  the  user  early  in  the  development  cycle,  the  user  can 
judge  whether  the  proposed  decomposition  of  the  system  level  requirements 
(to  the  software  requirements)  will  produce  what  is  actually  intended.  If 
not,  appropriate  correction  can  be  easily  implemented  well  before  such 
changes  become  prohibitively  expensive.  In  addition,  the  effort  by  the 
software  engineer  to  decompose  the  GFSR  level  requirements  to  the  DFSR 
level  using  SREM  will  highlight  areas  where  insufficient,  ambiguous,  or 


conflicting  information  exists.  Again,  by  raising  such  issues  early  in  the 
development  phase,  the  true  intent  of  the  user  can  be  determined  and  fac¬ 
tored  into  the  DFSR  very  early  in  the  development  cycle. 

A  comparison  of  SREM  to  the  capabilities  of  other  software  require¬ 
ments  techniques  was  accomplished.  SREM  was  shown  to  be  not  only  tech¬ 
nically  superior  to  the  others,  but  to  allow  lower  software  application 
life-cycle  costs  as  well. 


1-5 


1.3  OVERVIEW  OF  THIS  REPORT 


Section  2  of  this  report  provides  a  tutorial  description  of  SREM. 

This  includes  the  following  considerations: 

•  The  Requirements  Statement  Language  (RSL). 

•  The  automated  support  tools  incorporated  in  the 
Requirements  Engineering  and  Validation  System  (REVS) 
with  emphasis  on  the  Requirements  Analysis  and  Data 
Extraction  (RAOX)  function,  which  provides  the  capa¬ 
bility  to  test  the  adequacy  of  the  requirements  data 
base,  and  to  provide  documentation  of  its  content. 

•  The  application  methodology,  including  development  of 
Requirements  Nets  (R_NETs)  used  to  define  the  processing 
response  to  the  various  input  stimuli  and  to  provide  the 
ability  for  early  software  test  planning. 

•  Management  considerations. 

•  REVS  software  installation  information. 

Section  3  describes  the  basic  tasks  accomplished  under  this  contract 
and  their  results.  It  includes  a  discussion  of  our  approach  to  the  defini¬ 
tion  of  interface  elements,  stored  information,  processing  logic  (R_NETs), 
and  traceability.  Further  discussion  is  provided  with  more  detail  on  RADX 
use  for  evaluation  of  the  requirements  data  base,  and  the  results  of  the 
RAOX  evaluation  are  presented.  Finally,  a  discussion  of  the  statistics  of 
the  manloading  application  necessary  to  accomplish  the  SREM  tasks  is 
provided. 

Section  4  discusses  the  results  of  the  evaluation  of  the  MOM  OFSR. 

The  kinds  and  degree  of  deficiencies  found  and  documented  by  Trouble 
Reports  are  presented,  and  a  discussion  of  the  general  effects  of  the  DFSR 
deficiencies  are  sumnarized.  A  discussion  on  the  reqeneration  of  the  DFSR 
using  the  documentation  capability  of  RADX  is  also  provided. 

Section  5  compares  SREM  to  other  competing  software  reouirements 
engineering  tools,  to  include  relevant  similarities  and  differences.  TV’is 
discussion  includes  the  important  matter  of  total  life  cycle  software  costs 
as  a  criteria  for  selecting  a  requirements  engineering  technique.  It  is 
shown  to  be  an  appropriate  way  to  assess  the  value  of  these  tools,  since 
more  than  just  their  initial  application  costs  should  be  considered. 

Section  6  completes  this  report  and  discusses  the  apol icabil ity  of 
SREM  to  Management  Information  Systems.  It  also  summarizes  a  few  limita- 


tions  experienced  with  SREM  in  the  verification  of  software  applications, 
such  as  the  MOM  DFSR.  Enhancement  of  RSL/REVS  to  ameliorate  these  limita¬ 
tions  is  discussed  as  a  means  to  provide  a  more  powerful  SREM  capability 
for  developing  and/or  analyzing  software  requirements  in  the  development  of 
management  information  systems.  All  of  these  sections  are  contained  in 
this  volume  (Volume  I)  of  the  report. 


1-7 


2.0  THE  TRW  SOFTWARE  REQUIREMENTS  ENGINEERING  METHODOLOGY 


The  Software  Requirements  Engineering  Methodology  (SREM),  developed 
for  scientific  systems,  embodies  four  years  of  concentrated  research  di¬ 
rected  toward  the  generation  of  better  software  requirements.  As  most  of 
the  fundamental  concepts  are  directly  applicable  in  the  management  infor¬ 
mation  system  environment,  a  re-statement  of  the  original  SREM  objective 
and  an  overview  of  existing  capabilities  and  recent  developments  is 
appropriate. 


2-1 


2.1  PURPOSE  AND  BACKGROUND  OF  SREM 

In  the  Fall  of  1974,  the  Data  Processing  Directorate  of  the  U.S.  Anny 
Ballistic  Missile  Defense  Advanced  Technology  Center  (BMOATC)  initiated  a 
series  of  research  programs  directed  to  the  development  of  a  complete  and 
unified  approach  to  software  development.  These  programs  encompassed  the 
total  range  of  activities  from  development  of  system  specifications  through 
completion  and  testing  of  the  software  process  design.  Suooorting  programs 
were  also  conducted  to  perform  basic  research  into  such  areas  as  software 
reliability,  static  and  dynamic  validation  technioues,  and  adaptive  control 
and  learning. 

A  key  element  of  the  BMDATC  programs  was  the  Software  Requirements 
Engineering  Program  (SREP).  This  was  a  research  effort  concerned  with  a 
systematic  approach  to  the  development  of  complete  and  validated  software 
requirements  specifications.  As  shown  in  Figure  2-1,  errors  made  in  the 
requirements  phase  become  increasingly  more  expensive  to  locate  and  correct 
in  the  later  phases  of  development. 


Figure  2-1  The  Penalty  of  Requirements  Errors 


Ambiguity  and  lack  of  precision  in  the  requirements  statements  lead 
to  misinterpretation  (and  therefore  errors)  in  the  subsequent  development 
phases  and  add  further  to  cost  and  schedule  overruns.  Consistent  with 
alleviating  these  problems  with  curre^  requirements  specification  prac¬ 
tices,  the  overall  objectives  of  the  SREP  research  were  to: 

•  Ensure  a  well-defined  technique  for  decomposition  of 
system  requirements  into  structured  software 

requi rements . 

•  Provide  a  mechanism  for  enhanced  management  visibility 
into  the  requirements  development. 

e  Maintain  requirements  development  independent  of  the 
target  machine  and  the  eventual  software  design. 

•  Allow  for  easy  response  to  system  requirements  change. 

•  Provide  for  testable  and  easily  validated  software 
requirements. 


2.2  SREM  OVERVIEW 


To  meet  these  objectives,  the  Software  Reauirements  Engineering 
Methodology  (SREM)  was  developed.  SREM  is  a  formal,  step-by-step  process 
for  defining  data  processing  requirements.  It  provides  a  means  to  eval¬ 
uate  system  requirements  and  enables  preparation  of  good  software  specifi¬ 
cations  prior  to  design  and  coding. 

SREM  is  designed  to  provide  certain  qualities  often  lacking  in  many 
software  requirements.  The  most  important  of  these  are: 

•  INTERNAL  CONSISTENCY,  which  is  difficult  to  attain  when 
applying  traditional  techniques  on  large  systems. 

•  EXPLICITNESS,  which  requires  unambiguous,  complete 
descriptions  of  what  is  to  be  done,  when,  and  with  what 
kind  of  data. 

e  TESTABILITY,  which  ensures  that  ALL  performance 
requirements  are  directly  testable. 

•  TRACEABILITY,  which  allows  easy  impact  assessment  of 
changes  to  system  requirements. 

The  basic  elements  of  SREM  are  the  methodology  of  application,  its  lan¬ 
guage,  and  the  automated  software  tools  to  support  the  application  effort. 
The  Requirements  Statement  Language  (RSL)  provides  the  user  with  the  abil¬ 
ity  to  define  software  requirements  in  a  form  which  assures  unambiguous 
communication  of  explicit,  testable  requirements,  and  combines  the  read¬ 
ability  of  English  with  the  rigor  of  a  computer-readable  language.  The 
Requirements  Engineering  and  Validation  System  (REVS)  provides  the  auto¬ 
mated  tools  for  translating,  storing,  analyzing,  simulating,  and  docu¬ 
menting  requirements  written  in  RSL.  Through  the  use  of  RSL  and  REVS,  the 
engineer  can  verify  the  completeness  and  consistency  of  a  software  soeciti- 
cation  with  a  high  degree  of  confidence. 


r 


2.3  THE  NEW  PERSPECTIVE  OF  SREM 

This  methodology  is  an  integrated,  structured  aoproach  to  require¬ 
ments  engineering  activities.  SREM  begins  with  the  translation  and  decom¬ 
position  of  system  level  requirements,  or  with  the  verification  of  an 
existing  software  specification.  Lt  performs  analysis,  definition,  and 
validation  of  the  ADP  requirements;  and  ends  with  computer  supported  docu¬ 
mentation  of  the  completed  software  requirements.  It  represents  a  dif¬ 
ferent  approach  and  philosophy  for  software  requirements  engineering  in 
that  it  embodies  a  flow  orientation  which  eliminates  many  of  the  problems 
inherent  in  the  classical  functional  hierarchy. 

The  common  practice  of  organizing  software  requirements  into  a  hier¬ 
archy  of  functions,  subfunctions,  etc.,  while  superficially  appealing, 
leads  to  difficulties  in  both  the  expression  and  the  verification/vali¬ 
dation  of  the  requirements.  This  is  due,  in  part,  to  the  fact  that  such 
organization  does  not  fit  the  basic  input-process-output  nature  of  data 
processing,  and  in  part  to  the  fact  that  a  hierarchical  tree  of  arbitrarily 
defined  "functions"  does  not  have  a  sufficiently  rigorous  mathematical 
basis  to  allow  automated  analysis  for  the  completeness  and  consistency 
properties  of  the  resulting  specification.  To  avoid  these  difficulties, 

RSL  and  REVS  are  based  on  the  concept  of  processing  flow,  a  stimulus- 
response  approach.  Software  requirements  written  in  RSL  are  formulated  in 
terms  of  a  mathematical  network  (graph  model)  called  a  Requirements  Network 
(R-NET).  This  approach  provides  several  advantages: 

t  Describing  the  required  processing  in  terms  of  a  "logic 
diagram"  of  the  system  is  natural  to  most  engineers. 

fl  The  mathematical  properties  of  an  R-NET  allow  automated 
analysis  for  consistency  and  completeness  through  the 
application  of  graph  theory. 

•  The  flow  orientation  of  an  R-NET  allows  automated 
generation  of  simulation  directly  from  the  stated 
requirements. 

Flows  through  a  system  are  soecified  on  the  R-NETs,  which  consist  of 
nodes  which  specify  required  processing  operations  and  connecting  arcs. 

The  basic  nodes  are  INPUT_INTERFACE3,  OUTPUT_INTERFACEs ,  and  reouired 
processing  activities  called  ALPHAS.  Through  the  use  of  these  basic  nodes, 
the  required  paths  of  processing  can  be  specified.  For  example,  if  data  is 
to  be  input  to  the  data  processor  through  an  INPUT  INTERFACE  called  A, 


2-5 


r 


processed  by  a  processing  step  (ALPHA)  called  B,  then  processed  by  an  ALPHA 
called  C,  and  ttie  result  output  through  an  OUTPUT_INTERFACE  called  D,  then 
the  required  processing  path  can  be  specified  by  listing  the  sequence  of 
operations : 

INPUTJNTERFACE;  A 
ALPHA:  B 
ALPHA:  C 

OUTPUTJNTERFACE:  0 

This  simple  R  MET  is  illustrated  graphically  in  Figure  2-2. 


Figure  2-2  An  Elementary  R_MET 

In  the  above  example,  the  sequence  ALPHA  3-ALPHA  C  means  that  those 
processing  steps  must  be  performed  in  the  indicated  sequence.  In  many 
cases,  the  actual  order  of  processing  is  immaterial.  This  can  be  specified 
through  the  use  of  an  AMD  node  as  shown  in  Figure  2-3.  This  structure 
means  that  both  B  and  C  must  be  performed  after  receipt  of  data  through  A 
and  before  the  result  is  output  through  D,  but  B  and  C  are  seouentially 
independent  and  may  be  performed  in  any  order  (or  in  parallel). 

Most  systems  also  require  the  specification  of  decision  (control i 
ooints.  Thus,  in  the  above  example,  if  B  is  to  be  performed  under  some 
circumstances  (depending  on  the  value  of  the  input  data,  for  example)  and  C 
is  to  be  performed  otherwise,  a  decision  point  and  its  attendant  decision 


2-6 


t 

Figure  2-3  Use  of  AND  Nodes  in  R_NETs 

criterion  must  be  specified.  This  is  specified  in  an  R_NET  through  the  use 
of  an  OR  node  as  illustrated  in  Figure  2-4.  The  second  OR  node  following  B 
and  C  means  that  the  processing  is  to  continue  (i.e.,  output  the  results 
through  0)  if  processing  on  either  input  branch  has  been  completed. 

Through  the  use  of  the  INPUTJNTERFACE,  ALPHA,  and  OUTPUTJNTERFACE, 
plus  the  AND  and  OR  nodes,  complete,  complex  processing  reouirements  can  be 
readily  specified.  Other  nodes  are  provided  to  specify  selection  of  data 
to  be  processed  (SELECT,  FOR  EACH),  to  designate  "test  points”  for  spec¬ 
ifying  performance  requirements  (VALIDATION  POINTs),  to  provide  internal 
controls  (EVENTs),  and  to  summarize  detailed,  subordinate  processing  ^lows 
(SUBNETS) . 

The  Stimulus-Response  approach,  as  discussed  above,  for  the  analysis 
and  definition  of  software  specifications  has  become  the  cornerstone  of  the 
SREM  approach,  and  provides  a  new  perspective  for  (as  well  as  a  concise 
means  of)  describing  software  requirements. 


2-7 


2.4  RANGE  OF  SREM  ACTIVITIES 


The  starting  point  of  SREM  in  the  development  of  a  software  reouire- 
ment  from  the  system  level  is  the  point  in  systems  engineering  where  the 
system  requirements  analysis  has  identified  the  functions  and  the  stress 
points  of  the  specified  system;  the  interfaces  between  the  subsystems  (at 
least  on  the  functional  level);  top-level  system  functions  and  operating 
rules  (when  and  in  what  order  functions  are  to  be  performed);  and  top  level 
system  functions  have  been  allocated  to  the  data  processor.  In  the  case  of 
a  verification  effort,  it  begins  with  the  determination  to  investigate  the 
adequacy  of  an  existing  specification. 

For  both  of  the  above  cases,  SREM  is  considered  completed  when  the 
point  is  reached  where  primarily  software  development  expertise  is  required 
to  continue,  the  interfaces  have  been  defined  at  the  element  level,  all 
processing  steps  have  been  identified  with  appropriate  OP  requirements 
levied,  all  actions  of  the  DP  in  response  to  a  stimulus  are  determined  in 
terms  of  sequences  of  processing  steps,  and  the  processing  necessary  to 
generate  all  required  DP  output  interface  messages  has  been  specified.  The 
basic  difference  for  a  verification  effort  is  that  deficiencies  in  the 
existing  specification  will  have  been  documented  and  reported  to  the  extent 
that  the  above  characteristics  are  not  present. 


2.5  SREM  DEVELOPMENT  CONSIDERATIONS 

The  first  step  in  defining  the  Software  Requirements  Engineering 
Methodology  was  to  determine  the  properties  required  of  a  specification  and 
of  the  individual  requirements  of  which  it  is  composed.  The  initial  con¬ 
siderations  were  that: 

f  A  specification  is  the  set  of  all  requirements  which 
must  be  satisfied,  and  the  identification  of  the  subsets 
which  must  be  met  concurrently. 

•  A  specification  is  neither  realizable  nor  legally 
binding  unless  it  is  consistent  with  both  the  laws  of 
logic  and  the  laws  of  nature. 

•  A  specification  defines  the  properties  required  of  a 
product,  such  that  any  delivery  satisfying  the 
specification  satisfies  the  objectives  of  the  specifier. 

Taken  together,  the  above  considerations  lead  to  a  set  of  properties 
which  a  specification  must  have,  from  a  technical  point  of  view.  They  are; 

•  Internal  consistency. 

•  Consistency  with  the  physical  universe. 

•  Freedom  from  ambiguity. 

Economic  and  management  considerations  lead  to  the  following  set  of 
properties  which  a  good  specification  must  exhibit: 

•  Clarity. 

•  Minimality. 

•  Predictability  of  specification  development. 

•  Controllability  of  software  development. 

Since  freedom  from  ambiguity  was  mandatory,  a  machine-readable  state¬ 
ment  of  software  requirements  was  defined.  By  employing  an  unambiguous 
language,  and  by  translating  and  analyzing  it  with  a  program  intolerant  of 
ambiguity,  a  precise  statement  of  requirements  was  ensured. 

To  provide  an  internally  consistent  specification,  analyses  of  the 
requirements  statements  are  performed  by  the  REVS  software.  These  analyses 
include  semantic  and  syntactic  decomposition  of  the  individual  statements, 
and  analysis  of  the  composite  flow  of  data  and  processing.  Suoport  of 
consistency  with  the  physical  universe  is  accomplished  by  converting  the 


2-10 


specification  unambiguously  into  a  simulation  which  can  be  executed  against 
a  model  of  the  real  world. 

Recently,  the  Government  has  required  that  tactical  software  be 
developed  in  accordance  with  DoD  Directive  5000.29.  One  key  aspect  of  this 
requirement  is  that  any  software  specification  must  be  validated  before 
being  imposed.  With  the  collection  of  tools  and  the  methodology  for  their 
use,  SREM  provides  a  means  for  this  validation  through  static  and  dynamic 
analysis  at  the  requirements  level. 

Finally,  to  support  control  of  both  the  specification  process  and 
software  development,  a  means  of  selective  documentation  and  analysis  of 
the  specification  is  provided.  The  integration  of  these  tools  with  a  sound 
and  methodical  engineering  and  management  approach  provides  predictability 
in  the  specification  process.  Further,  it  aids  in  avoiding  over¬ 
specification. 

SREM  was  developed  to  ensure  that  software  specifications  express  the 
real  needs  of  the  user.  Although  it  was  developed  explicitly  for  high 
technology  weapon  systems  problems,  it  is  grounded  on  fundamental  concepts 
relevant  to  all  types  of  data  processing.. 


2-11 


miiiilliii 


2.6  PRINCIPAL  COMPONENTS  OF  SREM 

The  three  components  of  SREM  are  the  Requirements  Statement  Language 
(RSL),  the  Requirements  Engineering  and  Validation  System  (REVS),  and  the 
application  methodology,  itself.  These  components  are  described  in  this 
sect! on . 

2.6.1  The  Requirements  Statement  Language  (RSL) 

The  Requirements  Statement  Language  is  a  user-oriented  mechanism  for 
specifying  requirements.  It  is  oriented  heavily  toward  colloquial  English, 
and  uses  nouns  for  elements  and  attributes,  and  transitive  verbs  for  rela¬ 
tionships.  A  complementary  relationship  uses  the  passive  form  of  the  verb. 
Both  syntax  and  semantics  echo  English  usage,  so  that  many  simple  RSL 
sentences  may  be  read  as  English  with  the  same  meaning.  However,  the 
precision  of  RSL  enforced  through  machine  translation,  is  not  typical  of 
colloquial  speech.  As  a  result,  most  complex  RSL  sentences  are  a  somewhat 
stylized  form  of  English. 

The  basic  structure  of  RSL  is  very  simple  and  is  based  on  four  orimi- 
tive  language  concepts:  elements,  attributes,  relationships,  and 
structures . 

El ements 

Elements  in  RSL  correspond  roughly  to  nouns  in  English.  They  are 
those  objects  and  ideas  which  the  requirements  analyst  uses  as  building 
blocks  for  his  description  of  the  system  requirements.  Each  element  has  a 
unique  name  and  belongs  to  one  of  a  number  of  classes  called  element  types. 
Some  examples  of  standard  element  types  in  RSL  are  ALPHA  {the  class  of 
functional  processing  steps),  DATA  (the  class  of  conceptual  pieces  of  data 
necessary  in  the  system),  and  R_NET  (the  class  of  orocessing  flow 
specifications) . 

Attributes 

Attributes  are  modifiers  of  elements,  somewhat  in  the  manner  of 
adjectives  in  English,  and  they  formalize  important  properties  of  the 
elements.  Each  attribute  has  associated  with  it  a  set  of  values  which  may 
be  mnemonic  names,  numbers,  or  text  strings.  Each  oarticular  element  may 
have  only  one  of  these  values  for  any  attribute.  An  example  of  an  attri¬ 
bute  is  INITIAL  VALUE,  which  is  applicable  to  elements  of  tyoe  DATA.  It 


2-12 


has  values  which  specify  what  the  INITIAL_VALUE  of  the  data  item  must  be  in 
the  implemented  software  and  for  simulations. 

Relationships 

The  relationship  (or  relation)  in  RSL  may  be  compared  with  an  English 
verb.  More  properly,  it  corresponds  to  the  mathematical  definition  of  a 
binary  relation;  that  is,  a  statement  of  an  association  of  some  type 
between  two  elements.  The  RSL  relationship  is  not  symmetric;  it  has  a 
subject  element  and  an  object  element  which  are  distinct.  However,  there 
exists  a  complementary  relationship  for  each  specified  felationship  which 
is  the  converse  of  that  specified  relationship.  ALPHA  INPUTS  DATA  is  one 
of  the  relationships  in  RSL;  the  complementary  relationship  states  that 
DATA  is  INPUT  TO  an  ALPHA. 

Structures 

The  final  RSL  primitive  is  the  structure,  the  RSL  representation  of 
the  flow  graph.  Two  distinct  types  of  structures  have  been  identified. 

The  first  is  the  R_NET  (or  SUBNET)  structure.  As  previously  described,  it 
identifies  the  flow  through  the  functional  processing  steps  ( ALPHAS )  and  is 
used  to  specify  the  system  response  to  various  stimuli.  The  second  struc¬ 
ture  type  is  the  VALIDATION  PATH,  which  is  used  to  specify  performance  of 
the  system. 

The  goal  of  stabilizing  requirements  in  a  natural  fashion  using  the 
stimulus-response  approach,  yet  being  rigorous  enough  for  machine  interpre¬ 
tation,  was  achieved  primarily  by  orienting  the  design  around  the  specifi¬ 
cation  of  flow  graphs.  Expression  of  structures  in  RSL  is  accomplished  by 
mapping  the  two-dimensional  graph  onto  a  one-dimensional  stream  suitable 
for  computer  input. 

The  RSL  structures  are  based  on  an  extension  to  the  basic  theory  of 
graph  models  of  computation  developed  at  UCLA  to  describe  the  intended 
operation  of  software.  Many  of  the  rules  for  constructing  the  RSL  struc¬ 
tures  are  fixed  in  order  to  enforce  discipline,  to  preclude  the  user  from 
forming  flow  patterns,  and  to  ensure  that  each  R_MET  has  a  valid  logical 
basis.  Figure  2-5  shows  the  currently  allowable  nodes  that  may  be  incor¬ 
porated  into  a  legal  network,  and  their  eoui valent  RSL  description. 

Through  the  use  of  these  four  primitive  language  concepts,  a  basic 
requirements  language  is  provided  which  includes  concepts  for  specifying 


2-13 


iMMBiilaiiilii 


INFUT  INTERFACE 


processing  flows,  data  processing  actions,  and  timing  and  accuracy  require 
ments.  In  addition,  informative  and  descriptive  material  and  management- 
support  information  may  be  specified.  Using  these  primitives,  a 
nucleus  of  concepts  has  been  defined  which,  to  date,  has  proven  sufficient 
in  scientific  applications.  Concepts  supported  by  the  current  scientific 
version  of  the  language  are  summarized  in  Table  2.1. 


Table  2.1  Current  Nucleus  of  Defined  RSL  Elements,  Relationships  and 
Attributes 


ELEMENT  TYPES 

REUTIONSHIPS 

ATTRIBUTES 

ALPHA 

ASSOCIATES 

ALTERNATIVES 

OATA 

COMPOSES 

ARTIFICIALITY 

DECISION 

CONNECTS 

BETA 

ENTITY  CLASS 

CONSTRAINS 

CHOICE 

ENTITY  nPE 

CONTAINS 

COMPLETENESS 

EVENT 

CREATES 

DESCRIPTION 

FILE 

OEUYS 

ENTERED  BY 

INPUT  INTERFACr 

DESTROYS 

GAMMA 

messaSE 

DOCUMENTS 

INITIAL  VALUE 

ORIGINATING  REQUIREMENT 

ENABLES 

L0CALIT7 

OUTPUT  INTERFACE 

EQUATES 

MAXIMUM  TIME 

PERFORMANCE  REQUIREMENT 

FORMS 

maximum“/alue 

R  NET 

IMPLEMENTS 

MINIMUM^IME 

SfllRCE 

INCLUDES 

MINIMUM  VALUE 

SUBNET 

INCORPORATES 

PROBLEM' 

SUBSYSTEM 

INPUTS 

RANGE 

SYNONYM 

MAKES 

RESOLUTION 

UNSTRUCTURED  REQUIREMENT 

ORDERS 

TEST 

VALIDATION  PifTH 

OUTPUTS 

nPE 

VALIOATION“POINT 

PASSES 

UNITS 

VERSION  ■ 

RECORDS 

SETS 

TRACES 

USE 

RSL  is  an  extensible  language  in  that  the  primitives  described  above, 
which  are  initially  built  in,  can  be  used  to  define  additional  complex 
language  concepts.  This  extension  capability  of  tht  language  was  exercised 
throughout  the  application  of  SREM  to  the  MOM  DFSR,  and  the  extended  con¬ 
cepts  are  shown  in  Table  2.2. 

2.6.2  The  Requirements  Engineering  and  Validation  System  (REVS) 

The  Requirements  Engineering  and  Validation  System  (REVS)  is  designed 
to  allow  the  requirements  engineer  to  state  and  modify  requirements  infor¬ 
mation  over  a  period  of  time  as  the  requirements  are  develooed.  The  RSL 


2-15 


Table  2.2  MOM  OSARC  Extended  RSL  Elements,  Relationships,  and  Attributes 


SLEhENT  nPES 

^EUTIONSHIPS 

ATTRIBUTES 

aATAJLEMENT 

LOfiCJEN 

i«M_njNCTTOH 

PREPARATIONJATE 

aElATIVE_?OSN 

R£VrEW_t3ATE 

AS_0F 

COOEO_AS 

LOCATEOJM 

SUPPORTS 

USES 

CAfiO_PrRST  COLUMN 

CARO_LAST_CCHJMN 

DEFINITION 

FIELO_L£NGTH 

FIEL0_^PE 

FREQUENCY_OF_USE 

SROWTH_RATE 

mormal_access_<ey 

NR_CHAR_PE.R_AECORD 

NR_CURRENT JEC0R0S_?£R_FI  Lc 

MR_PR0JECTE0J£C0R0S_PER_FTL£ 

?ROPOS£D_"IL£_ORGN 

PR0P0S£D_MEDIA 

PURG£_RATE 

requiredjtem 

RETENTION_PEaiOD 

SEOJRITVJLASS I  FI  CAT!  ON 

statements  that  an  engineer  inputs  to  REVS  are  analyzed,  and  a  repre¬ 
sentation  of  the  information  is  put  into  a  centralized  requirements  data 
base,  called  the  Abstract  System  Semantic  Model  (ASSM).  It  bears  this  name 
because  it  maintains  information  about  the  required  data  processing  system 
(RSL  semantics)  in  an  abstract,  relational  model.  Once  entered  into  the 
ASSM,  the  requirements  are  available  for  subsequent  refinement,  extraction, 
and  analysis  by  the  REVS  software. 

From  a  user  point  of  view,  there  are  five  major  functional  capabil¬ 
ities  which  REVS  provides. 

•  Processing  of  RSL. 

•  Interactive  generation  of  Requirements  Networks 
(R_NETs). 

•  Analysis  of  requirements  and  their  listing  in  RSL  and/or 
in  specially  formatted  reports,  using  the  Reouirements 
Analysis  and  Data  Extraction  (RADX)  capability. 

•  Generation  and  execution  of  functional  and  analytic 
simulators  from  functional  reouirements,  models,  or 
algorithms,  and  the  generation  and  execution  of 


2-16 


simulation  post-processors  from  analytic  performance 
requirements. 

•  Processing  of  extensions  to  RSL. 

REVS  and  RSL  allow  the  engineer  to  enter  requirements  into  the  re¬ 
quirements  data  base  as  they  are  developed,  with  REVS  checking  for  consis¬ 
tency  and  completeness  as  new  data  is  entered.  Although  the  REVS  capabil¬ 
ities  may  be  applied  in  any  order,  generally,  the  user  will  initially  build 
the  requirements  data  base,  and  then  reouest  various  Requirements  Analysis 
and  Data  Extraction  (RADX)  static  analyses  to  be  performed.  New  entries 
will  be  made  and  additional  RADX  static  analysis  repeated  until  the 
requirements  have  been  sufficiently  developed  for  a  simulation  to  be  mean¬ 
ingful  and  useful.  At  that  time,  a. simulator  and  post-processor  may  be 
generated.  Once  generated,  it  may  then  be  executed  numerous  times  and  the 
data  recorded  and  analyzed.  Based  on  the  results,  this  seouence  may  be 
repeated,  starting  with  the  modification  of  the  existing  requirements  or 
the  addition  of  new  ones.  The  sequence  will  also  be  repeated  as  system 
requirements  change,  or  when  new  requirements  are  imposed.  When  the  user 
is  satisfied  that  the  requirements  are  correct,  based  upon  the  results  of 
static  and  dynamic  analysis,  REVS  will  document  the  requirements  in  a  form 
usable  in  a  software  requirements  specification. 

Each  of  the  major  capabilities  identified  above  is  allocated  to  a 
different  functional  component  of  REVS.  The  capabilities  of  these  func¬ 
tions  are  described  briefly  below. 

2. 6. 2.1  Processing  of  RSL 

The  analysis  of  RSL  statements  and  the  establishment  of  entries  in 
the  requirements  data  base  corresponding  to  the  meaning  of  the  statements 
is  performed  by  the  RSL  translation  function  of  REVS.  The  translation 
function  also  processes  the  modifications  and  deletions  from  the  data  base 
commanded  by  RSL  statements  specifying  changes  to  already-existing  entries 
in  the  data  base.  For  all  types  of  input  processing,  the  RSL  translation 
function  references  the  data  base  to  do  simple  consistency  checks  on  the 
input.  This  prevents  disastrous  errors  such  as  the  introduction  of  an 
element  with  the  same  name  as  a  oreviously-existing  element,  or  an  instance 
of  a  relationship  which  is  tied  to  an  illegal  type  of  element.  Besides 
providing  a  measure  of  protection  for  the  data  base,  this  type  of  checking 


catches  some  of  the  simple  types  of  inconsistencies  that  are  often  found  in 
requirements  specifications  at  an  early  state,  without  restricting  the 
order  in  which  the  user  adds  to,  or  alters,  the  data  base. 

2. 6. 2. 2  Interactive  Generation  of  R-Mets 

Graphics  capabilities  to  interactively  input,  modify,  or  display 
R_MET,  SUBNET,  and  VALIDATION_PATH  structures  are  provided  through  the  REVS 
Interactive  R_NET  Generation  (RNETGEN)  function.  RMETGEN  permits  entry  of 
structures  and  referenced  elements  in  a  manner  parallel  to  the  RSL  trans¬ 
lator,  and  thus  provides  an  alternative  to  the  RSL  translator  for  the 
specification  of  the  flow  portion  of  the  requirements.  Using  this  function, 
the  user  may  develop  (either  automatically  or  under  direct  user  control)  a 
graphical  representation  of  a  structure  previously  entered  in  RSL.  The 
user  may  work  with  either  the  graphical  or  RSL  language  representation  of  a 
structure;  they  are  completely  interchangeable. 

The  Interactive  R-NET  Generation  facility  contains  full  editing 
capabilities.  The  user  may  input  a  new  structure,  or  he  may  modify  one 
previously  entered.  When  satisfied  with  the  newly  generated  R_NIET,  the 
user  may  cause  it  to  be  stored,  at  which  point  it  is  automatically  trans¬ 
lated  into  an  RSL  representation  and  stored  in  the  data  base.  At  the 
conclusion  of  the  editing  session  on  an  existing  structure,  the  user  may 
elect  to  replace  the  old  structure  with  the  modified  one.  The  editing 
functions  provide  means  to  position,  connect,  and  delete  nodes,  to  move 
them,  to  disconnect  them  from  other  nodes,  and  to  enter  or  change  their 
associated  names  and  commentary.  The  size  of  a  structure  is  not  limited  by 
the  screen  size  since  zoom-in,  zoom-out,  and  scroll  functions  are  orovided. 

2. 6. 2. 3  Analysis  and  Output  of  Requirements 

The  RAOX  function  provides  both  static  flow  analysis  capabilities  and 
the  capabilities  of  a  generalized  extractor  system  for  checking  the  com¬ 
pleteness  and  consistency  of  the  requirements  soeci fi cation  and  for  the 
development  of  requirements  documentation.  The  static  flow  analysis  deals 
with  data  flow  through  the  R_NETs.  The  analysis  uses  the  R_MET  structure 
(in  much  the  same  manner  that  programming  language  data  flow  analyzers  use 
the  control  flow  of  a  program)  to  detect  deficiencies  in  the  flow  of  pro¬ 
cessing  and  data  manipulation  stated  in  the  requirements.  The  generalized 


extractor  system  allows  the  user  to  perform  additional  analysis  and  to 
extract  information  from  the  data  base.  The  user  can  subset  the  elements 
in  the  data  base  based  on  some  condition  (or  combination  of  conditions), 
and  display  the  elements  of  the  subset  with  any  related  information  he 
sel ects . 

Information  to  be  retrieved  is  identified  in  terms  of  RSL  concepts. 
For  example,  if  the  user  wants  a  report  listing  all  DATA  elements  which  are 
not  INPUT  to  any  ALPHA  (processing  step),  he  enters  the  following  commands: 

SET  A  =  DATA  THAT  IS  NOT  INPUT. 

LIST  A. 

By  combining  sets  in  various  ways,  he  can  detect  the  absence  or  presence  of 
data,  trace  references  on  the  structures,  and  analyze  inter-relationships 
established  in  the  data  base.  In  analyzing  user  requests  and  extracting 
information  from  the  data  base,  the  extractor  system  uses  the  definition  of 
the  language  concepts,  which  are  also  contained  in  the  data  base.  Thus,  as 
RSL  is  extended,  the  extensions  and  their  use  in  the  requirements  are 
available  for  extraction.  Because  of  the  importance  of  the  use  of  RADX  in 
the  evaluation  of  the  requirements  data  base  and  in  the  regeneration  of 
requirements  in  this  effort,  a  more  detailed  description  of  RADX  is  pro¬ 
vided  in  Paragraph  3.7,  preceding  the  description  of  our  RADX  evaluation 
effort. 

2. 6. 2. 4  Generation  and  Execution  of  Simulators  and  Post-Processors 

The  automatic  Simulation  Generation  (SIMGEN)  function  in  REVS  takes 
the  data  base  representation  of  the  requirements  of  a  data  processing 
system  and  generates  from  the  discrete  event  simulators  of  the  system. 

These  simulators  are  driven  by  externally  generated  stimuli.  The  baseline 
system  generates  simulators  to  be  driven  by  a  System  Environment  and  Threat 
Simulation  (SETS)  type  of  driver  program  which  models  the  system  environ¬ 
ment,  (and  the  threat,  where  appropriate)  and  the  components  of  the  system 
external  to  the  data  processing  system. 

Two  distinct  types  of  simulators  may  be  Generated  by  REVS.  The  first 
uses  functional  models  of  the  processing  steps  and  may  employ  simplifi¬ 
cations  to  simulate  the  required  processing.  This  type  of  simulation 
serves  as  a  means  to  validate  the  overall  reouired  flow  of  processing 
against  higher  level  system  requirements.  The  other  type  of  simulator  uses 


2-19 


analytic  models.  These  are  models  that  use  algorithms  similar  to  those 
which  will  appear  in  the  software  to  perform  complex  computations.  This 
type  of  simulation  may  be  used  to  define  a  set  of  algorithms  which  have  the 
desired  accuracy  and  stability.  Although  real-time  feasibility  of  a  system 
cannot  be  established  using  this  algorithm  set,  the  simulation  does  provide 
proof  of  an  analytic  solution  to  the  problem.  Both  types  of  simulations 
are  used  to  check  dynamic  system  interactions. 

The  SIMGEN  function  transforms  the  data  base  representation  of  the 
requirements  into  simulation  code  in  the  programming  language  PASCAL.  The 
flow  structure  of  each  R_NET  is  used  to  develop  a  PASCAL  procedure  whose 
control  flow  implements  that  of  the  R_NET  structure.  Each  processing  step 
(ALPHA)  on  the  R_NET  becomes  a  call  to  a  procedure  consisting  of  the  model 
or  algorithm  for  that  ALPHA.  These  model s  (or  algorithms)  for  the  ALPHA 
must  have  previously  been  written  in  PASCAL.  The  data  definitions  and 
structure  for  the  simulation  are  synthesized  from  the  reouirements  data 
element  and  their  relationships  and  attributes  in  the  data  base. 

By  automatically  generating  simulators  from  the  data  base  in  this 
manner,  the  simulations  are  insured  to  match  and  trace  to  the  requirements. 
Since  all  changes  are  made  to  the  requirements  statements  themselves,  new 
simulators  can  be  readily  generated  as  requirements  change  and  are  auto¬ 
matically  reflected  in  the  next  generation  of  the  simulator. 

For  analytic  simulations,  SIMGEN  also  generates  simulation  post¬ 
processors  based  on  the  statement  of  performance  reouirements  in  the  data 
base.  Data  collected  from  an  analytic  simulation  can  be  evaluated  using 
the  corresponding  post-processor  to  test  that  the  set  of  algorithms  met  the 
required  accuracies. 

Both  REVS  generated  simulators  and  post-processors  are  accessed  for 
execution  through  the  Simulation  Execution  (SIMXOT)  function  for  simu¬ 
lators,  and  the  Simulation  Data  Analysis  (SIMOA)  function  for  simulation 
post-processors. 

2. 6. 2. 5  Processing  Extensions  to  RSL 

As  mentioned  earlier,  the  data  base  contains  the  RSL  concepts  used  to 
express  requirements,  as  well  as  the  reouirements  themse'^ves.  Extensions 
and  modifications  to  the  concepts  are  processed  by  the  RSL  Extension 
(RSLXTND)  function  of  REVS.  The  RSLXTND  function  is  actually  performed  by 


2-20 


the  same  software  as  RSL  translation,  but  is  accessed  separately  to  control 

extensions  to  the  language  through  a  lock  mechanism  built  into  the 
software. 

2. 6. 2. 6  REVS  Organization 

The  above  discussion  has  identified  seven  functions  of  REVS:  RSL, 
RNETGEN,  RADX,  SIMGEN,  SIMXQT,  SIMDA,  and  RSLXTND.  As  shown  in  Figure  2-6, 
these  functions  are  under  the  control  of  a  higher  level  function,  the  REVS 
Executive.  The  Executive  presents  a  unified  interface  between  the  user  and 
the  different  REVS  functions. 

2.6.3  The  Application  Methodology 

Historically,  the  methods  for-  developing  a  software  specification 
have  been  as  numerous  as  the  developers  of  such  documents.  In  fact,  few 
cases  can  be  cited  in  which  any  formal  methodology  could  be  Quoted.  Until 
the  specification  appeared  (often  after  thousands  of  man-years  of  effort), 
nothing  was  available  to  show  that  it  would  actually  be  generated.  In 
addition,  it  has  frequently  been  true  that  the  quality  of  the  specifica¬ 
tion,  even  with  respect  to  elementary  consistency  from  one  requirement  to 
another,  could  be  verified  only  very  late  in  software  development.  Since 
the  problems  were  discovered  only  when  the  cost  of  correction  was  orohibi- 
tive,  the  requirements  were  frequently  changed,  degrading  system  perfor¬ 
mance  in  order  to  have  a  "workable"  product. 

In  our  research  we  found  that  a  methodology  was  needed  to  guide  the 
software  development,  and  to  make  progress  visible  via  measurable  mile¬ 
stones.  As  shown  in  Figure  2-7,  SREM  starts  with  a  specification  which  can 
be  a  formal  specification,  a  conversation  with  the  intended  user,  or  a 
mental  image  of  the  system.  In  addition,  it  has  been  found  that  SREM  may 
be  applied  to  an  existing  software  specification  to  verify  its  adequacy,  as 
has  been  done  in  this  effort  on  the  MOMS  OFSR. 

The  first  step  is  to  identify  the  specific  functional  and  performance 
requi remerfts  of  the  system,  and  to  record  them  in  the  reouirements  data 
base  as  ORIGINATING_REOUIREMENTs  (what  processing  is  to  be  done)  or 
PERFORMANCE_REOUIREMENTs  (how  well  must  the  processing  be  done;  accuracy, 
timing,  etc.).  As  the  rest  of  the  methodology  proceeds,  the  need  for  the 
various  elements  defined  and  recorded  in  the  data  base  (R_METs,  *^ESSAGEs, 

2-21 


2-6  REVS  Functional  Organization 


Figure  2-7  The  SREM  Methodology  Process 


etc.)  should  have  stemmed  from  these  ORIGINATING_RE0UIREMENTs ,  and 
PERFORMANCE_REOUIREMENTs.  Consequently,  a  traceability  is  established 
between  pertinent  elements  and  the  requirement  for  them.  Additionally,  as 
ambiguous  areas  of  the  requirement  are  clarified,  or  as  new  guidance 
results,  this  fact  can  be  documented  in  the  data  base  as  a  DECISION,  and 
various  elements  of  the  data  base  may  then  properly  be  traced  to  these 
decisions.  With  the  requirements  documented,  actual  definition  of  the 
software  requirement  can  be  initiated  to  meet  the  requirements. 

Based  on  the  system  specification  or  software  specification,  all 
interfaces  of  the  data  processor  are  first  identified,  together  with  the 
MESSAGES  that  cross  these  interfaces  and  the  MESSAGE  contents.  Next,  DATA 

and  FILE  information  is  identified  that  defines  the  information  required  to 
be  maintained  about  items  of  interest  to  the  processing.  These  are  stored 
in  ENTITY_CLASSes  or  ENTITY_TYPEs.  R_NETs  are  then  developed  to  specify 
stimul us/ response  relationships  required  of  the  software  to  process  each  of 
the  input  messages.  We  are  now  at  Point  A  on  Figure  2-7.  During  this 
process,  specific  problems  in  the  system  specification  will  be  found  (such 
as  ambiguities  and  inconsistencies).  These  problems  are  corrected  by  an 
iterative  process  between  the  software  engineer  and  the  user  until  the 
specification  is  thought  to  be  complete. 

Next,  the  details  of  the  functional  requirements,  including  all  of 
the  input/output  data  relationships,  the  processing  steps,  the  attributes, 
maximum  values,  minimum  values,  and  the  allowed  data  ranges,  are  completed. 
RSL  is  used  to  input  these  requirements  into  the  data  base,  and  RADX  is 
executed  to  test  for  errors  in  consistency  and  completeness.  When  all  the 
information  has  been  input  and  all  the  errors  corrected,  the  result  ^'s  a 
functional  specification  (Point  3),  or  in  the  case  of  a  verification  ef¬ 
fort,  a  verified  functional  specification. 

Before  the  functional  specification  can  be  finalized  a  simulation  of 

the  system  is  appropriate.  First,  simple  functional  models  are  developed 
for  each  of  the  processing  steos  and  put  through  the  simulation  generation 

function  to  establish  the  model  for  simulation.  Once  all  models  are  built, 
the  simulator  is  executed  to  verify  the  entire  process  (Point  C).  Again, 
we  emphasize  that  the  simulation  is  actually  accomplished  using  the  --e- 
quirements  data  base  and  the  processing  logic  defined  in  the  R_NEts.  the 
result  is  confidence  in  the  correctness  of  the  requirements  data  base  since 

2-24 


■  - - - - - . . 


it  provides  checks  not  possible  from  static  analysis  alone.  For  example, 
the  simulation  can  address  whether  the  DATA  input  to  the  data  base  in  one 
R_NET  and  used  in  a  different  R_NET  is  actually  present  for  use  when  the 
using  R_NET  is  exercised  by  the  simulation. 

After  the  functional  requirement  specification  is  validated,  the 
PERFORMANCE_REQUIREMENTS  are  developed.  Such  PERFORMANCE_RE0UIREMENTS 
usually  aren't  well  structured;  they  are  stated  in  system  terms  such  as 
"kill  probability"  and  "miss  distances"  for  which  the  software  shares  only 
partial  responsibility.  The  paths  of  the  defined  processing  must  be  mapped 
and  the  paths  which  are  being  CONSTRAINED  by  these  PERFORMANCE_REOUIREMENTS 
must  be  identified.  Trade  studies  at  this  level  will  be  performed  until 
the  right  performance  requirements  are  allocated  for  each  path.  When  all 
of  the  paths  are  identified,  the  timing  and  analytic  accuracy  requirements 
are  specified  for  each  of  the  paths,  and  all  of  this  information  is  input 
to  the  REVS  data  base.  Completion  of  these  steps  results  in  a  valid  soft¬ 
ware  specification  (Point  0). 

Before  attempting  to  build  expensive  real-time  code  it  may  be  neces¬ 
sary  to  verify  that  the  system  is  analytically  feasible.  To  do  this,  one 
more  simulation  step,  called  the  analytical  feasibility  demonstration, 
should  be  performed.  This  step  will  use  real  algorithms  instead  of  func¬ 
tional  models  for  the  processing  steps.  It  may  not  run  in  real-time,  but 
it  should  consist  of  real  algorithms  exoected  to  be  used  in  the  software. 

It  should  be  driven  by  a  driver  with  enough  fidelity  to  represent  the  best 
understanding  of  the  environment  and  measurements  of  the  system  to  verify 
that  the  software  will  actually  provide  the  accuracies  reouired  (Point  E). 

The  methodology  developed  within  SREM  is  not  only  formal  (in  that  it 
provides  an  explicit  sequence  of  steps  leading  to  a  validated  specificat¬ 
ion)  but  it  is  also  manageable,  enumerating  multiple  phases  for  management 
review  and  analysis.  Since  it  works  from  the  highest  levels  of  software 
definition  (processing  and  data  flows)  to  the  most  detailed  (analytic 
models  and  data  content)  in  a  systematic  manner,  it  supports  early  detec¬ 
tion  of  high-level  anomalies.  A  key  feature  of  SREM  is  that  the  processing 
functions  and  data  communications  are  considered  in  parallel,  rather  than 
have  either  following  the  other.  As  a  result,  the  connectivity  of  the 


2-25 


system  is  always  complete,  and  it  becomes  possible  to  partition  the  re¬ 
quirements  effort  among  several  groups  early  in  the  process  without  risking 


2.7  SPECIFICATION  MANAGEMENT 

The  management  of  a  specification  developed  under  SREM  benefits  most 
from  the  conmon  source  in  the  data  base  of  all  the  representations  of  the 
software  requirements.  Thus,  the  simulation  of  the  specification  and  the 
documentation  of  its  requirements  will  be  consistent  at  all  times,  since 
both  have  a  single  source  of  data  for  their  generation  without  human  inter¬ 
vention.  In  addition  to  a  common  data  base,  the  methodology  itself  sup¬ 
ports  orderly  software  development  planning  and  management,  expedites 
review  and  analysis  of  the  effort,  assists  communication  of  the  details  of 
the  effort  between  participants,  provides  consistent  rapidly  attainable 
documentation,  simplifies  impact  analysis  of  requirement  changes,  and 
assures  early  test  planning  capability.  These  valuable  capabilities  for 
any  software  manager  are  briefly  illustrated  below. 

2.7.1  Management  Planning  and  Control 

Because  the  methodology  is  a  step-by-step  sequence  of  events  with 
recognizable  starting  and  ending  points,  it  can  be  annotated  with  mile¬ 
stones,  recorded  on  charts,  and  otherwise  controlled  with  the  management 
tools  of  the  last  several  decades  to  provide  predictability  and  control . 
This  is  not  to  suggest  that  the  creativity  of  the  specification  process  can 
either  be  scheduled  or  by-passed;  it  is  still  needed.  However,  the  metho¬ 
dology  isolates  it  into  segments  with  high  visibility,  and  supports  manaoe- 
ment  cognizance  of  its  progress  and  impact. 

Work  may  be  easily  assigned  in  a  logical  fashion  because  of  the 
stimulus  response  approach  of  this  methodology.  Since  each  INPUT_INTERFACE 
identified  for  the  system  is  the  source  of  all  the  input  MESSAGES  (stimuli) 
passing  through  it,  a  division  of  responsibility  by  INPUT_INTERFACE  is 
appropriate.  Thus,  an  engineer  becomes  responsible  for  developing  the 
R_MET  for  that  interface  and  all  the  appropriate  related  information  for 
insertion  into  the  requirements  data  base.  Each  requirements  engineer 
generally  accomplishes  the  same  methodology  steps  with  his  assigned  effort 
which,  during  the  initial  phase,  are  as  illustrated  in  Figure  2-6.  The 
typical  Management  Milestones  are  also  shown  in  that  figure. 

It  is  not  necessary  for  one  step  to  be  completely  finished  in  all 
respects  before  the  next  can  be  undertaken.  In  most  cases,  the  interfaces 
and  MESSAGES  from  some  SUBSYSTEMS  may  be  defined  before  those  of  others;  in 


2-27 


Figure  2-B  Relationship  of  Methodology  Steps  in  Phase  1  of  SREM 


this  case,  work  could  be  initiated  on  the  R_NET  definition  while  interfaces 
are  being  defined  for  the  remainder  of  the  system.  The  parallel  aspects  of 
the  network  exemplify  the  modular  capability  for  parallel  R  MET 
development. 

To  be  useful  for  management  control,  it  must  be  possible  to  recognize 
when  each  milestone  is  completed.  As  will  be  shown,  determination  of  the 
status  of  these  and  other  milestones  can  be  attained  by  Querying  the  ASSM 
data  base  in  various  ways  using  the  RAOX  system. 

2.7.2  Review  and  Analysis 

The  software  manager  who  is  using  SREM  has  a  ready  means  to  determine 
project  progress  (or  lack  thereof)  for  his  internal  review  and  analysis,  or 
to  meet  the  need  for  specific  information  to  support  reviews  by  higher 
level  management,  or  by  the  user.  This  is  accomplished  through  the  capa¬ 
bilities  of  RADX.  A  standard  set  of  RADX  tests  have  been  developed  to 
assure  that  the  data  base  will  produce  a  complete,  consistent,  unambiguous 
specification.  Figure  2-9  provides  an  example  of  a  few  of  these  pre¬ 
specified  queries. 

In  addition,  REVS  users  may  form  their  own  queries.  At  review  time, 
for  example,  the  manager  can  query  the  data  base  to  determine  the  status  of 
efforts  expected  to  have  been  accomplished  by  the  time  of  the  review.  This 
capability  eliminates  much  of  the  need  for  subjective  evaluation  of  pro¬ 
gress.  Here  is  a  sample  of  the  kinds  of  data  that  could  be  obtained: 

f  INPUT  INTERFACES  that  do  not  PASS  MESSAGES.  This  would 
indicate  that  MESSAGES  that  will  be  passed  by  this 
interface  have  not  yet  been  determined  and  entered  into 
the  data  base. 

•  R  NETS  that  are  not  ENABLED  by  an  existing  INPUT 
ITITERFACE.  This  would  indicate  that  the  R_NET  fFr  that 
INPUT_INTERFACE  has  not  yet  been  defined  in  the  data 
base. 

•  MESSAGES  that  are  not  MADE  BY  DATA  or  FILE  information. 

These  are  messages  whose  contents  have  not  yet  been 
defined. 

These  are  only  a  few  of  the  considerable  list  of  queries  that  could  be  used 
to  determine  status.  Actually,  different  sets  of  queries  would  be  aopro- 
priate  during  each  phase  of  the  SREM  process. 


I 


9VMMS  TQ  Ttsr  vtsmoi  MO  mroirAa  srcc:ncATiao 


s^T  iiMC>^<w<<cTr').«u0tf^rc«  *  t9$*t  .s  <0?  :a->Mi<cieo 

t«  4Ck  «M»f  ««  *•. 

s<T  •  inrC't^Acc  «ir-«iuf  <ru«MecT9 

I*  4<»  iw<u**«cc  «Ull  Cd'tMCCT  fu  »  tMitytTk*,  •», 
mt  rM.»4M«.caH<i<CTi  •  iA«t«^*cc  cummcct% 

I*  4A  mrt«»*c(  CAAMor  aan'itcf  ■*«•€  r«4« 

OAi  •>. 

9fl  TMf#W40r.'«l.«^>t444  •  |Mf(W4Cf  •llaOat  «4t«fcS 

(•  4%  iMUft#«cc  «usr  <*4si  4f  c«^tr  a*ic  «<stMi4«  •*• 
Mfr  rH4r  «4»uo  ouf»Air.i'*«c»«4<c. 

«T  •  9iir.«4«  f"*i  iH  *Jf 

t*  4Cb  tW4r  •4^«  kM  ^l*9f%.m*»Ck 

^nt  4t  'OfH^O*  •*. 

KT  .•«««{»  •  '<<SAA4«  tn  •«»(  A4»s#-) 

(•  4  4<S*A*C  •^r  4«  <**1kM-3  •<*  Mi  (HAur 

M  our<^r  (m#c»a4««  ••. 

ifT  «u(.rr.*«Mco««ti«A«K  ■  •c^sam  r*«f  ($  •ttu*) 

r*  4  CAM  iMiCf  4Mt  :*l«t"A«C4.  •*. 

iff  is  'CF^mCd 

(«  «M  .iwr€a#4cc  :4««af  •«« 

•r  r«4M  Smc  4.'i4r.  *t. 


ca^iMoi  re  rt5T  r«mjM  sMcifSAiioa 


i<T  (•M*'***!*'','* .  «4  J5  •  fi^-iCiO 

!•  -»«!  •€  eJMM-.iO.  *'  . 

ktr  Af •  •^•<r  T»*4i  TO  I'iAuf ^i-iHi-#4ce. 

Vt  «f  1A(MM.lM/,*'l4»t£  •  (MAt  tS  CVAMClO 

•V  i««pKtr.iMUA#*c; 

i*  4M  A.ACf  r»«t  •CAeA*'«ct«  4.'i  ('•#Ul.i'*ICArAC( 
^ir  At  CM4Mt£0  <•«  Tm  fiftMriCI.  •<  . 

Iff  •40,«MI.II.£A4«A.»  •  *tf  tMkt  :»  -iVTIP^;  «««ALta 

(•  4A  «««tCH  4<>* 

I'lMUf  .•«•(<>#  4C(  C4M  Jilt*  -*4  C'«MiACO 

•T  !*.<  lMr(4#4tC.  •». 

i#f  •I'M#!  . 

iff  •4j,rMff4#4€^.V*.4«tt«f ‘•T  •  "OT  ,»t#  J»  .:  ■^  f»4f  t> 

A? 

!•  4'«  4^ii«t  a'TT  »*  l***«tia  4r  km 

^  ...4fAlM4Cf  iMtiaf  '■-'  l>*fl»f4Cf 

(*•  T**<  4r«iiiriu»f.  *1. 

Mr  <TA«l<Tjli«.'«alCS  •  W»M<r.  «4.104T|7<«,AU|I4|  . 

l■<Mtfr.l•>rtAr4Ct«  auiAjr,i<«i«Ar4bf . 

Mr  •  4,«<T  :»• 

Mf  'MuMW.'AVXii  •  Srv'iCrtfiKt.'HMKS  TmaT  '*>1  •€»?*»«ho  *•>  *f  ■••rj 

«•  fQ«  f-»  ’0  :&•■*»  U*  M.L 

itiMi**  iwMMfr*  !«€*<«  44tn>4rwM,A<^(nr. 

,i-iU«/4<t*  *•> 

Mrt?  it  Ufia  t-i  Mf-<-  •.'tT 

_  .!•  vxwitT  l^royffuAt,  ««♦ _ 


Figure  2-9  Partial  List  of  Prespecified  RADX  Tests 

The  output  from  each  query  (called  a  SET)  provides  a  number  which 
identifies  the  quantity  of  elements  in  the  data  base  that  satisfy  the 
specified  query,  and  a  listing  of  each  of  the  elements  in  the  SET.  For 
example,  in  the  third  sample  above,  after  indicating  the  quantity  of 
MESSAGES  that  are  not  MADE  BY  DATA  or  FILES,  the  names  of  each  MESSAGE 
would  be  listed.  Because  of  the  formality  of  RSL,  and  the  specific  meaning 
of  its  components,  communication  is  facilitated  in  discussions  with 
engineers  on  problems  identified  through  RADX  extractions  such  as  these. 


2.7.3  Technical  Communication 

Of  all  of  the  capabilities  that  SREM  oossesses,  the  caoability  to 
expedite  technical  communication  is  the  one  most  often  mentioned  by  users 


2-30 


as  an  unexpected  payoff.  The  R_NET  and  SUBNET  structures  are  the  primary 
reason  this  is  so.  These  structures  are  easy  to  understand  and  can  distill 
large  amounts  of  text  into  a  compact  flow  diagram.  The  clarity  of  this 
approach  is  illustrated  in  Figure  2-10  for  an  R_NET  describing  the  proces¬ 
sing  required  for  an  Aircraft  Engine  Monitoring  System.  In  this  system,  a 


•  AUDIO  AkCnr 


Figure  2-10  R_NET  for  the  Engine  Monitoring  System 

MESSAGE  is  periodically  received  containing  aircraft  engine  temoeratures 
and  pressures  and  is  to  be  processed  so  that  the  flight  engineer  is  warned 


2-31 


when  engine  conditions  are  out  of  limits.  In  addition,  the  engine  readings 
are  to  be  stored  to  provide  engine  history.  Although  the  reader  is  pro¬ 
bably  not  too  familiar  with  R_NET  structures,  it  is  not  very  difficult  to 
form  a  good  idea  of  what  is  supposed  to  happen  in  the  processing.  The  only 
concept  not  previously  discussed  is  the  circles  labeled  VI  through  V4. 

These  are  VALIDATION  POINTS  which  RECORDS  DATA  and  FILE  information  needed 
for  software  testing. 

Because  of  the  ability  the  R_NET  has  for  efficient  communication,  it 
is  superb  for  use  in  engineering  reviews,  coordination  between  engineers, 
and  discussions  between  managers  and  their  engineers.  In  addition,  and 
perhaps  for  the  first  time,  the  user  can  be  given  a  chance  to  understand¬ 
ably  review  the  perceived  software  requirements  (via  the  R_NETs),  with  the 
distinct  probability  that  he'll  be  able  to  identify  areas  where  his  inten¬ 
tions  were  not  properly  specified,  and  thus  provide  for  correction  before 
software  design  is  started. 

Another  glance  at  the  R  NET  in  Figure  2-10  will  provide  an  under¬ 
standing  of  the  ease  with  which  such  errors  can  be  identified.  Mote  that 
at  the  OR  Node  immediately  below  the  ALPHA  called  VALIDATEJiESSAGE,  one  of 
two  branches  is  followed,  depending  on  the  result  of  the  processing  in  this 
preceding  ALPHA.  If  the  result  produces  the  DATA  item  called  DATA_VALIDITY 
with  the  value  of  M0T_VALID,  processing  ends  for  that  MESSAGE.  An  astute 
user  would  quickly  perceive  that  if  a  long  string  of  engine  messages  was 
producing  a  M0T_VALID  value  (perhaps  due  to  some  DP  system  failure),  and 
even  if  the  one  of  the  engines  was  burning  up,  no  warning  would  be  given 
the  flight  engineer.  This  is  clearly  an  unacceptable  circumstance,  and  the 
requirements  could  be  clarified  so  that  the  ‘'N0T_VALID"  branch  was  restruc¬ 
tured  to  provide  a  warning  after  some  number  of  consecutive  invalid  incuts. 

2.7.4  Requirements  Data  Base  Documentation 

A  further  benefit  for  management  is  the  capability  of  REVS  to  produce 
consistent  specifications,  even  when  many  changes  are  made  over  short 
periods  of  time  by  many  peoole  in  the  project.  One  computer  --un  yields  the 
information  needed  for  a  complete  soecification  with  all  the  latest  ’revis¬ 
ions.  Of  equal  importance,  if  the  proper  thoroughness  is  applied  to  every 
revision,  last  minute  panics  do  not  introduce  undetected  errors  in  the 
documentation. 


2-32 


Figure  2-11  illustrates  a  typical  printout  showing  the  relationships 
in  a  hierarchical  arrangement  that  presents  a  clear  picture  of  some  of  the 
input  considerations  for  the  Engine  Monitoring  System.  Output  such  as  this 
is  very  useful  for  working-level  documentation.  It  is  compact,  to  the 
point,  and  readable,  although  it  may  not  be  sufficient  for  a  formal 
specification. 


UST  0^_lH»Vr_INTHRfAC£_3eFII«ITtQHS 


SUaSYSTW  :  SN61Ne_nUUTIPL£X£R 

COMNeCTEO  TO 

lMPUT_lNTERFACe  !  fMX_INPur 
PASSES 

.‘VSSAGE  :  ENSINe^YeASUREnENTS 
nAOe  3Y 

BATA  :  measurements 
INCLUDES 

DATA  ;  SENSORJATA 
INCLUDES 


OATA  : 

measured  J*  1 

DATA  : 

MEASURED  J>E 

DATA  ; 

M€ASUREDJ>1 

SATA  : 

MEASURED.rt 

'>3 

1 

DATA  : 

measured.te 

DATA  : 

■MEASURED.TB 

DATA  ;  SWITCNJATA 

(NCLUOCS 

MEASURED.SI 

DATA  ; 

DATA  : 

MEASURED.SE 

Figure  2-11  Typical  REVS-Produced  Documentation 

REVS  also  provides  the  capability  to  produce  the  R_NETs  via  a  CALCOMP 
plot.  Figure  2-12  provides  an  example.  Here  again  the  olot  incorporates 
all  the  latest  data  base  changes  and,  therefore,  is  consistent  with  the 
specification  printout.  Together,  the  CALCOMP  plot  and  the  automated  text 
output  provide  a  total  understanding  of  what  the  software  is  to  do  (Func¬ 
tional  Requirements)  and  how  well  it  is  to  do  it  (Performance 
Requirements) . 

SREM  also  can  document  problems  of  which  the  manager  may  want  to 
remain  cognizant.  Usually  at  the  early  stage  of  system  development,  the 
specifications  are  incomplete,  contain  many  ambiguities,  and  leave  several 


2-33 


Figure  2-12  Typical  CALCOMP  Plot 

issues  for  future  resolution.  SREM  does  not  require  that  all  omissions  be 
resolved  before  proceeding.  Instead,  a  requirements  engineer  can  proceed 
from  that  which  is  clearly  defined,  and  enter  the  requirements  information 
into  the  data  base. 

Where  the  data  is  not  immediately  available,  is  inconsistent,  or 
otherwise  questionable,  problem  reports  should  be  written  and  entered  into 
the  data  base  for  follow  up.  For  example,  when  R_METs  are  defined,  the 
requirements  engineer  will  discover  that: 

•  He  doesn't  know  how  certain  MESSAGES  get  processed  under 
particular  conditions. 

•  He  doesn't  know  the  conditions  under  which  a  certain 
output  MESSAGE  is  to  be  produced. 

•  Certain  MESSAGE  contents  are  not  known. 


2-34 


These  situations  and  others  like  them  can  be  recorded  as  problems  by 
entering  them  as  DECISIONS  without  CHOICE.  These  DECISIONS  without  CHOICE 
can  be  accessed  via  RADX  query  and  printed  out  to  present  the  manager  with 
an  automated  problem  list. 

Once  a  CHOICE  is  established,  usually  via  an  answer  from  the  user  to 
a  query,  the  answer  is  recorded  in  the  data  base  as  CHOICE.  Thus,  an  up- 
to-date  history  of  problems  encountered,  still  open,  and  closed  exists  at 
all  times  during  the  SREM  procedures.  This  not  only  provides  a  record  of 
current  status,  but  also  a  valuable  record  of  the  evolution  of  critical 
decisions  on  the  project  effort  for  future  reference. 

2.7.5  Assessing  the  Impact  of  Requirements  Changes 

As  discussed  earlier,  a  means  is  provided  to  establish  traceability 
of  requirements.  ORIGINATING_RE0UIREMENTs  are  DOCUMENTED  BY  paragraphs  in 
SOURCE  documents  (system  specifications,  interface  specifications,  etc.) 
and  each  key  element  of  requirements  data  base  is  traced  back  to  one  or 
more  of  these  requirements.  Although  it  requires  some  attention  to  detail 
for  the  initial  establishment  of  this  traceability,  there  is  a  real  pay-off 
in  assessing  the  impact  of  requirements  changes.  This  impact  assessment  is 
especially  useful  during  the  configuration  management  procedures  for  a 
proposed  change.  The  traditional,  labor-intensive  page-by-page  search  to 
attempt  to  identify  impacts  is  so  burdensome  that  it  is  seldom  comoletely 
successful.  As  a  result,  there  is  concern  that  removing  some  portion  of 
the  software  may  impact  the  processing  in  unforseen  ways. 

By  taking  the  time  initially  to  establish  traceability  using  the  SREM 
process,  impact  assessments  of  reouirements  changes  are  greatly  eased.  For 
example,  the  following  query  could  be  formed  and  entered  via  RADX  to 
determine  the  impact  of  a  change  in  the  ORIGIMATINGJREGUIREMENT  named 
PROCESS_RADAR_INPUTS. 

SET:  ANYJLEMENT  =  DATA,  FILE,  MESSAGE,  INPUTJNTERFACE , 
OUTPUTJN'ERFACE,  SUBSYSTEM,  R_NET,  SUBNET. 

(Creates  a  set  of  all  the  indicated  RSL  elements) 

SET;  IMPACTED  ELEMENTS  -  ANY  ELEMENT  WHICH  IS  TRACED  FROM 
ORIGINATTNG  REOUIREMENTT  ORCCESS  RADAR  INPUTS. 


2-35 


(Creates  a  set  of  all  elements  named  in  the  first  set  which 
trace  to  the  indicated  ORIGINATING  REQUIREMENT.  These  are 
the  elements  that  could  be  impacteS"  by  this  change.) 

LIST:  IMPACTED_ELEMENTS. 

(This  would  result  in  a  printout  listing  all  elements  that 
are  impacted  by  the  change;  that  is,  all  those  in  the 
derived  set  called  ''IMPACTED_ELEMENTS'' . ) 

Thus,  with  a  single  computer  run,  all  portions  of  the  previous  re¬ 
quirements  engineering  effort  are  identified  that  should  be  re-examined  to 
determine  changes  or  realignment  needed  to  adjust  to  the  new  requirement 
change.  More  important,  however,  is  that  all  the  relationships  these 
elements  have  with  other  unchanged  requirements  is  also  provided  by  the 
run.  This  assures  that  there  is  a  full  understanding  of  what  areas  would 
be  impacted  by  deletions  or  changes  being  contemplated.  A  comparison  of 
this  approach  to  typical  manual  reviews  yields  a  real  appreciation  of  the 
power  of  this  capability. 

2.7.6  Software  Test  Planning 

Software  test  planning  difficulties  are  reduced  by  the  SREM  Analysis 
approach  of  identifying  processing  paths  (R_NETs)  for  various  input  stimu¬ 
lus  (messages).  It  impacts  both  the  activities  to  be  performed,  and  the 
techniques  for  planning  and  managing  test  activities. 

The  definition  of  all  possible  branches  of  processing,  to  include 
error  paths,  is  a  natural  result  of  defining  the  R_NET  for  each  input 
stimulus  (MESSAGE).  Thus,  each  resulting  branch  is  a  possible  candidate 
for  a  software  test.  Generally,  however,  a  smaller  set  of  software  sets 
are  designed  by  concentrating  on  the  paths  of  greatest  importance.  A 
VALIDATION_POINT  may  be  added  to  such  branches  to  indicate  the  appropriate 
test  data  recording  points  for  PERFORMANCE_REOUIREMENTS  in  the  process. 

Figure  2-13  illustrates  two  methods  of  determining  PERFORMANCE_ 
REQUIREMENTS  for  various  R_NET  branches.  As  shown  on  the  left,  such  per¬ 
formance  may  be  derived  by  allocation  from  the  performance  described  in  the 
system  requirements.  In  addition,  there  may  be  a  one-on-one  application  of 
a  PERFQRMANCE_REOUIREMENT  to  an  R_NET  branch,  as  shown  on  the  right.  In 
either  case,  each  PERFQRMANCE  REQUIREMENT  is  linked  to  (CONSTRAINS)  a 


sittCT  fOfmmwri 


Figure  2-13  Determination  of  Software  Test  Reouirements 

VALIDATION  PATH,  which  includes  VALIDATION_POINTs  for  measuring  the  test 
data  needed  to  determine  that  the  PERFORMANC£_R£OUIREMENT  has  been  met. 

A  YALIDATION_POINT  is  analogous  to  a  test  point  in  a  piece  of  elec¬ 
tronic  hardware.  It  is  a  port  through  which  information  is  collected  in 
order  to  assess  performance  of  the  function  under  test.  The  information 
RECORDED  BY  a  VALIDATION_POINT  may  be  DATA  or  FILES.  A  PERFORMANCE_ 
REQUIREMENT  has  an  attribute  called  TEST,  which  uses  the  DATA  and  FILE 
information  RECORDEDJY  the  VALIDATION_POINTs  on  a  VALIDATI0N_PATH  to 
determine  the  pass/fail  criteria  for  the  TEST.  All  the  information  con¬ 
cerning  PERFORMANCE_RE0UIREMENTs,  VALIDATION_POINTs ,  VALIDATION_PATHs ,  and 
TESTS  are  entered  into  the  centralized  data  base. 

This  process  assures  that  needed  tests  are  derived  and  documented  ''or 
all  appropriate  processing  paths,  and  that  needed  test  data  will  be  known 
for  each  test.  The  positive  implications  for  this  on  the  attainment  of  a 
testable  software  specification  is  clear  and  significant. 

Two  additional  points  are  aoprooriate; 

•  In  order  for  the  tester  to  determine  the  tests 
aporopriate  to  allow  prooer  verification  that  the 
software  reouirements  are  met,  he  has  to  discover  all 
the  stimulus-response  paths  of  conseouence  in  the 
system.  No  matter  how  the  reouirements  are  generated, 
the  tester  is  faced  with  this  task.  Thus,  it  makes 


sense  to  develop  the  requirements  using  the  same 
stimulus-response  approach,  and  thereby  to  avoid  double 
analysis  of  the  requirement. 

The  identification  of  testing  is  very  early  in  the 
software  development  because  it  occurs  during  the 
requirements  phase.  Since  it  is  done  in  a  way  that  is 
directly  usable  by  the  tester,  there  is  real  economy  of 
effort  and  early  confidence  of  appropriate  testing  by 
all  concerned. 


2.8  MAINFRAME  REVS  SOFTWARE  CONFIGURATIONS 

The  latest  version  of  REVS,  Version  14,  is  now  installed  and  opera¬ 
tional  at  the  following  sites: 

•-  BMOATC  Advanced  Research  Center  (ARC),  Huntsville, 

A1 abama . 

•  TRW  Defense  and  Space  Systems  Group  (OSSG),  Redondo 
Beach,  California. 

•  Naval  Air  Development  Center  (NADC),  Warminster, 
Pennsylvania. 

This  section  describes  the  REVS  configuration  at  each  of  these  sites  and 
provides  current  data  as  to  the  size  of  the  REVS  software,  in  terms  of 
lines  of  source  code  and  execution  memory  requirements. 

2.8.1  REVS  Source 

The  basic  REVS  program  consists  of  approximately  43,000  lines  of 
PASCAL  organized  into  1108  procedures  and  291  lines  of  FORTRAN  in  3  rou¬ 
tines.  At  NADC,  and  additional  110  lines  of  FORTRAN  in  5  routines  is 
required  to  support  CALCOMP  plotting.:  The  REVS  PASCAL  source  by  functions 
is  as  follows: 


Function 

Source  Lines 

Executi ve 

6921 

CALCOMP  Plotting 

1072 

RAOX 

9665 

RNETGEN 

4031 

TESTER 

2900 

Translator 

7587 

SI  MO  A 

492 

SIMGEN 

9583 

SIMXQT 

622 

2.8.2  TRW  PASCAL  Development  System 

The  PASCAL  development  system  is  used  to  support  installation,  main¬ 
tenance,  and  execution  of  REVS  consisting  of  a  PASCAL  compiler,  run-time 


2-39 


library,  and  several  utility  programs.  The  compiler  itself  consists  of 
7503  lines  of  PASCAL  in  143  procedures.  The  run-time  library  consists  of 
43  routines  with  1055  lines  of  PASCAL  and  2235  lines  of  COMPASS.  The  5 
utility  programs  consist  of  2294  lines  of  PASCAL. 

2.8.3  Data  Base  Control  System  (D6CS) 

The  DBCS  consists  of  187  routines  with  a  total  of  10,520  lines.  All 

of  these  are  written  in  FORTRAN  except  for  one  COMPASS  routine  of  141 
lines.  The  inputs  to  the  DECS  necessary  to  define  the  ASSM  structure 
consist  of  195  card  images.  An  additional  47  card  images  are  reouired  to 
define  the  structure  of  a  REVS  post-processer  data  base. 

2.8.4  Compiler  Writing  System  (CWsi 

The  CWS  consists  of  5  PASCAL  programs  containing  5562  lines  and  3 
standard  input  files  totaling  946  lines  of  PASCAL.  The  definition  of  RSL 
consists  of  a  total  of  7195  source  lines  in  3  files.  This  source  is  a 
mixture  of  PASCAL  code  and  a  syntactic  and  semantic  definition  of  RSL. 

2.8.5  Ancillary  Files 

To  construct  and  support  REVS-generated  simulators  and  post-proces¬ 
sors,  several  additional  files  are  defined.  The  RISF,  an  input  file  to 
SIMGEN,  consists  of  1313  PASCAL  source  lines.  The  post-processor  data  base 
builder  program  and  post-processor  run-time  library  consists  of  137  lines 
of  FORTRAN  in  5  routines  and  454  lines  of  PASCAL  in  23  procedures.  The  RSL 
translator  input  statements  necessary  to  define  the  nucleus  data  base  are 
contained  in  a  file  of  804  card  images. 

2.8.6  BMDATC  ARC  Installation 

At  the  ARC  in  Huntsville,  Alabama,  REVS  is  installed  on  a  CDC  7600 
operating  under  SCOPE  2.1.5.  The  REVS  program  is  organized  into  42  seg¬ 
ments  as  defined  by  137  input  directives  to  the  Segment  Loader.  The  execu¬ 
tion  of  REVS  is  controlled  by  a  764_iine  COMPASS  program  which  emulates  the 
macros  defined  for  REVS. 

This  installation  of  REVS  provides  ^or  200  639-word  data  base  pages 
in  large  core  memory  f371470g  words  of  LCM)  and  loads  in  a  field  length  of 
117116g  SCM  and  377040^  LCM.  A  nominal  REVS  execution  requires  160000g 

2-40 


words  of  SCM.  All  REVS  caoabil ities,  including  interactive  ANAGRAPH  ac¬ 
cess,  are  available  at  the  ARC. 


2.8.7  TRW  DSSG  Installation 

REVS  is  operational  on  TRW/TSS  (TRW  computer  center  in  Redondo 
Beach,  California)  for  batch  and  remote  batch  use.  REVS  operates  under  the 
MACE  operating  system  on  the  COC  CYBER  70/74  and  CYBER  170/174  computers. 
The  REVS  program  is  organized  into  35  overlays  as  defined  by  125  input 
directives  to  the  TSS  loader.  The  execution  of  REVS  is  controlled  by  six 
control-card  PERFORM  files  containing  119  card  images.  A  utility  program 
consisting  of  one  4-line  FORTRAN  routine  and  a  53-line  PASCAL  procedure  is 
defined  to  generate  file  identification  banner  pages. 

Two  REVS  configurations  exist  on  TSS.  One  allows  64  639-word  data 

base  pages  in  central  memory  (117700g  words  of  CM),  the  other  allows  100 

data  base  pages  in  central  memory  (174634g  words  of  CM).  The  two  absolute 

programs  required  226236g  and  303302g  words  of  CM  loads.  Nominal  execution 

field  length  requirements  are  250000-  and  325000-,  respectively. 

o  o 


2.8.8  NADC  Installation 

REVS  operates  on  the  two  COC  6600s  and  the  CYBER  170/175  at  NADC 
(Warminster,  Pennsylvania)  under  control  of  the  KRONOS  2.1.1  operating 

system.  The  REVS  program  may  be  executed  in  a  batch  or  remote-batch  mode 
and  is  organized  into  45  segments  as  defined  by  357  input  directives  to  the 
CYBER  Loader.  The  execution  of  REVS  is  controlled  by  an  873-line  COMPASS 
program  which  emulates  the  job  central  macros  defined  for  REVS. 

Three  distinct  versions  of  REVS  are  configured  for  the  three  com¬ 
puters,  each  with  a  different  ECS  data  base  page  buffer  size  (200,  400,  or 
500  256-word  pages).  The  memory  requirements  on  the  three  machines  are  as 
follows: 

Machine  Machine  Machine 


A 


C 


ECS  310000g 

CM  Load  105022- 

O 

Nominal  CM  to  execute  150000- 


144000g  372000g 

73570.  105332^ 

3  8 

130000g  ISOOOOg 


2.9  REVS  IMPLEMENTATION  ON  THE  DEC  VAX  11/780 

As  part  of  a  contractual  effort  from  the  Ballistic  Missile  Defense 
Advanced  Technology  Center  (BMOATC),  TRW  has  installed  REVS  on  a  VAX 
11/780.  The  reasons  for  this  implementation  were  that: 

•  It  would  be  applicable  for  the  development  of  the 
Architecture  Development  Language  (ADD  effort,  which 
allows  the  description  of  arbitrary  architectures  of 
proposed  computer  system  constructs.  These  are  the 
basis  for  modeling  the  system  for  the  support  of 
investigation  of  the  use  of  large  numbers  of  intercon¬ 
nected  microprocessors  on  the  BMDATC  Advanced  Testbed  as 
DP  subsystem  candidates. 

•  With  modification,  it  may  have  application  to  creation 
of  testbed  software. 

•  It  will  support  DDP  ajjplication  investigations. 

•  It  will  allow  many  new  users  to  have  REVS  for  their  use 
(where  now,  there  is  limited  availability  on  a  few  CDC 
machines)  such  that  broader  SREM  application  is 
possible. 

As  part  of  this  effort,  TRW  was  to  compare  CPU  times  between  the  VAX 
and  the  CDC  7600,  to  determine  where  the  VAX  CPU  time  was  accumulating 
during  the  execution  of  the  REVS  program,  and  to  assess  how  these  run  times 
could  be  reduced.  The  ratio  of  CPU  times  varied  between  50  to  1  and  400  to 
1,  with  test  cases  averaging  128  to  1.  The  heaviest  usage  was  during  RADX 
executions,  and  since  most  of  the  test  cases  involved  RADX,  there  was  a 
bias  in  the  run  times  ratio  torward  the  upper  extremes.  Because  run  time 
differences  of  about  20  to  1  were  expected,  research  was  needed  to  investi¬ 
gate  the  reasons,  and  was  an  important  part  of  the  study. 

As  a  result  of  efforts  under  the  BMOATC  study,  improvements,  amount¬ 
ing  to  about  50  percent  reduction  in  the  above  run  time  differences  were 
attained.  Further  redactions  will  require  the  optimization  of  the  data 
base  management  system  (optimization  was  not  a  part  of  the  study  effort). 
The  results  of  the  BMDATC  effort  have  been  excerpted  from  the  final  f-eoort 
and  printed  in  Appendix  A  for  those  desiring  added  information. 


3.0  DESCRIPTION  OF  THE  SREM  APPLICATION  TO  THE  MOM  DFSR 


3.1  INTRODUCTORY  REMARKS 

The  purpose  of  this  section  is  to  present  a  profile  of  our  efforts  to 
apply  SREM  to  the  DFSR.  After  this  introduction,  and  a  discussion  of  the 
scope  of  the  effort,  a  description  of  the  SREM  process  will  be  presented  to 
describe  our  definition  of: 

•  Interface  elements. 

•  Stored  data . 

•  R_METs . 

•  Traceability. 

In  each  of  these  descriptions,  the  appropriate  RSL  concepts  will  be  intro¬ 
duced,  together  with  a  description  and  illustration  of  the  approach  to  the 
definition  process.  A  comparison  of  the  resulting  RSL  elements  to  those 
described  in  the  DFSR  will  then  be  provided  followed  by  a  discussion  of 
problems  encountered. 

Following  that,  and  in  preparation  for  the  discussion  of  our  eval¬ 
uation  of  the  requirements  data  base,  a  tutorial  on  RADX  and  its  use  for 
this  evaluation  will  be  presented.  This  will  be  followed  by  the  results  of 
our  RADX  evaluation. 

Finally,  an  analysis  will  be  presented  concerning  how  the  time  of  the 
software  engineers  assigned  to  this  effort  was  applied.  This  will  be  based 
on  the  diaries  maintained  during  the  MOM  DFSR  evaluation.  The  analysis 
will  include  statistics  of  interest  concerning  the  amount  of  effort  needed 
for  evaluation  of  a  specification  of  this  size,  and  how  it  was  distributed 
to  the  various  phases. 


3.2  SCOPE  OF  THIS  EFFORT 

The  evaluation  of  the  DFSR  under  this  contract  was  constrained  by 
several  factors  encountered  during  the  period  of  performance.  The  size  of 
the  specification  package  was  significant  for  the  time  available  and  the 
level  of  effort  possible  under  the  contract.  ‘  In  addition,  the  specifi¬ 
cations  possessed  two  unexpected  conditions: 

•  There  was  a  significant  quantity  of  errors,  beyond  the 
number  that  was  anticipated. 

•  There  was  an  unexpectedly  large  quantity  of  input 
MESSAGES  to  be  considered,  since  each  individual  data 
item  was  actually  a  separate  input  for  which  processing 
was  defined. 

3.2.1  Approach  to  Overcoming  Delays  Caused  by  the  High  Error  Count 

We  found  such  significant  inconsistencies  between  the  text  which 
described  the  required  processing,  the  functional  flowcharts,  and  the 
Decision  Logic  Tables  (OLTs)  that  we  failed  when  we  first  attempted  to 
harmonize  these  three  descriptions  in  order  to  synthesize  the  intent  of 
each  portion  of  the  processing.  Complicating  this  problem  was  the  fact 
that  no  user  existed  whom  we  could  query  to  determine  the  true  intent. 
Rather,  we  were  required  to  provide  our  own  answers.  This  turned  out  to  be 
3o  time  consuming  that  we  had  to  find  a  different  approach  if  there  was  to 
be  any  chance  of  completing  the  effort  in  the  time  available. 

As  a  result,  it  was  clear  that  we  would  have  to  pick  one  of  the  three 
conflicting  sets  of  processing  descriotions  and  use  it  in  isolation  from 
the  others  in  applying  the  SREM  methodology.  After  evaluation  of  each  of 
the  possible  sources,  we  selected  the  Decision  Logic  Tables  (DLTs)  for  use, 
primarily  because  they  presented  the  most  complete  processing  description 
of  the  three. 

In  selecting  the  OLTs,  we  consciously  decided  to  ignore  the  inconsis¬ 
tencies  between  text,  functional  flow  diagrams,  and  DLTs.  Time  did  not 
permit  such  an  evaluation,  although  a  few  differences  that  were  uncovered 
during  OLT  evaluation  were  documented  in  Trouble  Reports.  We  are  satisfied 
that  many  added  Trouble  Reports  would  have  resulted  if  we  had  evaluated 
text  and  functional  flow  diagram  consistency  as  carefully  as  we  did  the 
DLTs.  These  ignored  inconsistencies  would  only  have  reflected  format 
content  inconsistencies  within  the  written  specification,  rather  than  the 


3-2 


I 


iiiiiaiMMii 


more  important  adequacy  and  internal  consistency  of  the  processing  logic. 
Thus,  our  attention  was  focused  within  and  between  the  DLTs,  and  between 
the  OLT  definition  of  data  identification  compared  to  that  within  the 

following  DFSR  Annexes: 


• 

Annex  A: 

Input  Descriptions. 

• 

Annex  B: 

Output  Descriptions. 

• 

Annex  C: 

Information  Elements. 

Annex  D: 

File  Description. 

However,  the  decision  to  concentrate  on  DLTs  only  partially  solved 
the  size  of  the  problem-  When  we  followed  the  approach  of  analyzing  the 
DLTs,  the  error  count  still  turned  out  to  be  beyond  that  originally  ex¬ 
pected,  and  considerably  more  time  was  necessary  for  Trouble  Report  prepar¬ 
ation  and  coordination  than  had  been  contemplated.  As  a  result,  further 
constraints  on  the  effort  were  found  to  be  needed  so  as  to  allow  completion 
within  the  allotteo  schedule.  At  this  point,  it  was  determined  that  the 
goals  of  this  effort  would  be  duplicated  if  SREM  was  applied  to  both  the 
MOM  and  MPOM  DFSRs.  The  format  and  contents  of  the  MPOM  DFSR  was  similar 
to  that  of  the  MOM.  It  was  however,  smaller  and  less  complex,  since  the 
man-smachine ,  real-time  aspect  of  the  MOM  specification  was  missing,  and 

i 

since  there  were  fewer  input  and  output  messages  and  global  files  to  con¬ 
sider.  Consequently,  since  the  MOM  DFSR  was  more  varied,  and  since  it 
contained  far  more  processing  requirements  than  the  MPOM  DFSR,  it  was 
decided  to  concentrate  on  the  MOM  DFSR  for  our  SREM  application 
dembnstration. 


i  THE  SREM  methodology  was  designed  to  treat  each  group  of  input  infor¬ 
mation  received  or  transmitted  by  the  OP  as  a  MESSAGE.  Each  input  MESSAGE 
provides  a  processing  stimulus,  the  response  to  which  is  defined  on  an 
R  «NET.  In  the  case  of  the  MOM  DFSR  real-time  processing,  each  of  several 
hi^ndred  data  items  is  input  to  the  system  in  response  to  a  prompt  cue 
provided  by  the  DP  to  the  operator  after  he  has  successfully  input  the 
preceding  data  item  in  the  proper  format  and  containing  a  legal  value. 

/ 


3-3 


In  terms  of  the  current  methodology,  each  DATA  item  thus  input  act¬ 
ually  is  a  separate  RSL  MESSAGE  and  presented  the  need  to  define  a  process¬ 
ing  path  for  each  one.  However,  the  SREM  process  contemplates  the  logical 
processing  of  a  MESSAGE,  and  not  necessarily  the  detailed  means  for  imple¬ 
menting  the  correct  construction  of  these  MESSAGES  as  defined  for  indivi¬ 
dual  data  inputs.  It  was  clear  that  the  desired  output  products  of  this 
effort  could  not  be  attained  if  each  such  data  input  was  treated  as  an 
individual  input  MESSAGE.  A  way  had  to  be  found  to  shortcut  this  problem 
without  adversely  impacting  these  desired  products.  We  concluded  that  we 
should  treat  this  problem  in  a  more  summary  fashion,  as  described  in  the 
following  paragraphs. 

First,  we  decided  to  describe  the  process  of  individual  data  entry 
required  during  the  specified  real-time  processing  in  a  generic  fashion, 
since  each  data  item  input  was  essentially  processed  in  the  same  way.  That 
is,  regardless  of  which  data  item  was  input,  it  was  to  be  subjected  to  a 
format  and  legal -value  check,  and  an  error  message  was  to  be  produced  if 
incorrect.  If  the  input  was  correct,  the  data  was  to  be  retained  and  the 

next  data  input  prompt  was  to  be  displayed.  Or  if  an  error  was  detected, 

the  current  prompt  was  to  be  redisplayed.  There  also  was  the  need  to  allow 
the  operator  to  skip  a  prompt  if  it  described  an  optional  input  data  item, 

or  to  allow  him  to  select  the  previous  prompt  if  he  desired. 

In  order  to  describe  the  generic  approach  of  processing  data  inputs, 
it  was  necessary  to  accomplish  bookkeeping  of  information  concerning  what 
data  item  is  being  processed,  what  the  next  prompt  should  be,  what  the  last 
prompt  was,  what  the  legal  value  and  format  for  the  item  being  input  was, 
what  error  code  was  appropriate  if  an  error  was  detected,  plus  other  infor¬ 
mation  necessary  to  allow  the  DP  to  recognize  what  process  was  underway  and 
what  process  was  to  follow.  This  capability  was  imolemented  by  grouping 
the  needed  bookkeeping  information  into  ENTITY_CLASSes ,  and  treating  the 
input  of  each  data  item  as  a  single  generic  input  MESSAGE.  The  result  can 
be  seen  in  the  regeneration  of  the  SAMS  requirement  in  Aopendix  B. 

The  generic  impact  approach  for  data  input,  as  described  above, 
allowed  the  remainder  of  our  software  engineering  to  treat  the  processing 
described  in  the  DFSR  in  a  more  summary  fashion.  Each  real-time  process 
(XMA,  XMB,  etc.)  was  treated  as  if  the  stimulus  for  its  processing  was  a 
single  MESSAGE  (as  defined  in  Annex  A  of  the  DFSR)  and  each  such  MESSAGE 


which  was  MADE  BY  DATA  for  which  all  values  were  legal  and  correctly  for¬ 
matted.  This  was  feasible,  since  each  of  the  individual  data  items  in  the 
MESSAGE  had  initially  been  subjected  to  the  tests  we  described  in  the 
generic  process  for  testing  these  individual  inputs.  Thus,  the  process 
described  in  the  net  for  XMA  assumes  that  all  the  DATA  encountered  is  of 
the  correct  format  and  possesses  a  legal  value.  As  a  result,  the  process-, 
ing  logic  described  in  the  R_NET  assumes  "correct"  data  and,  therefore, 
does  not  include  the  processing  shown  in  the  DLTs  to  assure  that  the  data 
are  correct  and  legal,  nor  the  prompts  for  the  next  ooerator  entry.  As 
stated,  all  of  this  processing  was  covered  in  the  generic  definition  of  the 
input  process. 

There  were  occasions,  however,  where  the  format  of  an  input  DATA  item 
was  not  constant  and,  therefore,  could  not  be  checked  during  the  generic 
input  process  because  specific  processing  was  necessary  to  determine  the 
correct  format.  For  example,  in  the  XMA  and  XMB  processing,  the  PRT_N0_FLD 
may  have  any  of  several  formats,  depending  on  whether  it  contains  a 
National  Stock  Number,  a  manufacturer's  part  number,  or  a  commerical  vehi¬ 
cle  code.  In  a  case  such  as  this,  different  format  checks  are  necessary 
and  the  processing  described  in  the  R_NET  must  determine  which  format  is 
appropriate  and  whether  the  DATA  item  actually  has  that  format.  All  other 
DATA  items  in  the  input  MESSAGES  that  did  not  possess  variable  formats  were 
subjected  to  the  generic  input  processing  previously  described. 

This  approach  served  to  reduce  the  application  time  for  developing 
the  requirements  data  base  so  that  the  desired  products  of  this  demonstra¬ 
tion  could  be  attained.  However,  this  approach  (if  applied  to  a  "real" 
system  under  development)  might  create  some  problems,  in  that  R  NETs  so 
derived  don't  literally  match  the  approach  outlined  in  the  soecification. 
Although  the  approach  used  is  a  true  representation  of  the  overall  required 
processing,  the  literal  (rather  than  generic)  representation  of  each  data 
item  entry  as  a  separate  MESSAGE  would  be  preferable  for  verification  of  an 
actual  system  under  development.  It  should  be  recognized,  however,  that 
added  resources  (including  more  time)  would  be  necessary  for  application  of 
SREM  at  the  greater  level  of  detail  that  would  be  required. 


3-5 


3.2.3  Impact  of  the  Selected  Approaches 

Based  on  the  size  and  scope  of  the  MOM  DFSR,  it  is  dear  that  many 
man-years  were  devoted  to  its  completion.  Considerable  manual  effort  was 
clearly  needed  to  organize,  cross-reference,  and  produce  the  specifica¬ 
tions.  A  very  small  portion  of  the  probable  original  effort  expended  on 
this  specification  was  available  to  accomplish  this  SREM  engineering  analy¬ 
sis.  Although  time  pressures  required  us  to  modify  our  approach  slightly, 
the  resulting  reouirements  data  base  and  its  RADX  evaluation  is  complete 
and  we  have  high  confidence  that  we  have  identified  all  the  important 
deficiencies,  and  nearly  all  of  the  less  important  ones  that  exist  in  the 
MOM  DFSR  Decision  Logic  Tables.  Thus,  our  applied  approach  has  provided 
the  products  desired  under  this  contract  in  every  particular. 


3.3  DEVELOPMENT  OF  INTERFACE  ELEMENTS 

The  initial  phase  in  defining  the  reauirements  of  the  MOM  OFSR  ’^e- 
Quired  the  identification  of  the  INPUT_INTERFACEs  and  CUTPUT_INTERFACEs 
which  connect  the  data  processor  (DP)  with  external  devices  (SUBSYSTEMS  in 
RSL).  Once  the  interfaces  were  identified,  the  MESSAGES  passing  through 
them  and  the  contents  of  these  MESSAGES  were  defined.  These  items  were 
recorded  in  the  requirements  data  base  as  they  were  identified.  Table  3.1 
lists  the  RSL  definition  of  the  element  types,  the  relationships,  and  the 
complementary  relationships  used  in  the  development  of  interface  elements. 
Figure  3-1  illustrates  the  inter-relationships  of  these  defined  items. 

Table  3.1  RSL  Definitions  Used  in  the  Development  of  Interface  Elements 


OeFINITION  Of  aSMENTS 

SUBSYSTEM 

A  PART  OF  THE  SYSTEM  WHICH  COMMUNICATES  WITH  THE  DATA 

PROCESSING  SUBSYSTEM. 

:nput_[ntesfac£ 

A  30RT  BETWEEN  THE  DATA  3ROCESSING  SUBSYSTEM  AND  ANOTHER 
SUBSYSTEM  THROUGH  WHICH  DATA  IS  PASSED  TO  THE  OATA  PRO¬ 
CESSING  SUBSYSTEM. 

aUT?UT_:NTESFAC£ 

A  PORT  BCTHEEN  THE  OATA  PROCESSING  SUBSYSTEM  AND  ANOTHER 

PART  OF  THE  SYSTEM  THROUGH  WHICH  OATA  IS  MASSED  TO  THE 

0THE.R  SUBSYSTEM. 

MESSAGE 

AN  AGGREGATION  OF  OATA  ANO  FILES  THAT  PASS  THROUGH  AN 

INTERFACE  AS  A  LOGICAL  UNIT. 

FILE 

AN  aggregation  OF  INSTANCES  OF  OATA.  EACH  INSTANCE  OF  WHICH 

IS  TREATED  IN  THE  SAME  .MANNER. 

OATA 

A  SINGLE  PIECE  OF  INFORMATION  OH  SET  OF  INFORMATION  REQUIRED 

IN  THE  IMPLEMENTED  SOFThARE. 

SEFtNITION  OF  AELATICNSHIPS 

1  connects  '0  1  lOENTIFIcS  -^ITH  JHICH  SUBSYSTEM  THE  INPUT  INTEPFACE  OR 

1  (CCNNECTEO  TO)  1  OUT?UT_:nTE.RFACE  COMMUNICATES. 

PASSES 

i PASSED  THROUGH) 

iOENTIFIES  TIE  ''ES3AGE3  WHICH  ARE  MASSED  THROUGH  THE  INTER¬ 
FACE. 

MAXES 
(MADE  3Y) 

INDICATES  THAT  TIE  OATA  OR  FILE  IS  A  .OGICAL  COMPONENT  OF  *HE 
MESSAGE. 

CONTAINS 
.'CONTAINED  IN) 

IDENTIFIES  THE  ME.-BERS  OF  EACH  INSTANCE  IN  A  -ILE;  OATA  '■'AY 

BE  CONTAINED  IN  ONUf  ONE  -ILE. 

INCLUDES 
'INCLUDED  IN) 

INDICATES  A  -iIERARCHICAL  PELATIOMSHI?  BE-WEEN  OATA,  'HAT  IS 

OATA  INCLUDES  OATA. 

Figure  3-1  Interface  Element  Interrelationships 
3.3.1  Subsystem  Definition 

To  identify  the  SUBSYSTEMS,  we  reviewed  the  text,  the  functional  flow 
diagrams,  and  the  input  and  output  descriptions.  The  primary  source  for 
identification  of  the  SUBSYSTEMS  was  the  input  descriptions  of  Annex  A  and 
the  output  description  of  Annex  B.  The  SUBSYSTEMS  that  have  been  defined 
are  listed  in  Table  3.2.  These  same  sources  produced  the  information  as  to 

Table  3.2  SUBSYSTEMS  Identified  in  the  MOM  DFSR 


suaSYsrc'*:  '»OH_c5r. 
C3Nn£CT£D  T3; 

3uTP'jr  _iNr£fit=’iC£ 

:  ro_-OM_c^r. 

SOaSrsrEY:  YQ.y aOAPO. 
C3N.NfcCT£0  r3: 

p  5tjM_YOM_<eY90a^O. 

SUMSYSTtY:  YCM_'14li_YEDtA. 
C3nn£CT£0  T3: 

INP'jT_I.NreeFAC£: 

r  30lY_'*0M_'*4G_'Pe3  I  4  . 

OUTPUT. iNfcPFACS 

;  1  4  . 

SUtJSYSTEY:  «OM  CnTEP. 

? 

coNwccreo  ro-- 

3UrP'jT_C.Nr£3FiC£ 

:  rG_'40M_aPtNrE.-^. 

% 

SUBSYSTEMS 

transmitted  information 

to  the  MOM  USER  data 

( INPUT_IMTERFACE  in  RSL)  and  which  received  information  (OUTPUT_INTERFiCE 
in  RSL). 


3-8 


1 


3.3.2  Interface  Definition 

An  INPUT_INTERFACE  in  RSL  denotes  a  link  through  which  information  is 
communicated  into  the  DP.  An  OUTPUT_INTERFACE  is  one  through  which  infor¬ 
mation  is  communicated  from  the  DP.  The  relationship  of  each  type  of 
interface  is  that  it  is  connected  to  a  SUBSYSTEM.  Each  interface  passes 
one  or  more  messages,  but  to  prevent  ambiguity,  the  methodology  states  that 
a  specific  MESSAGE  may  pass  only  one  interface. 

3.3.3  MESSAGE  Definition 

MESSAGES  are  the  aggregation  of  DATA  and  FILEs  that  are  communicated 
as  logical  units  across  the  interfaces.  While  these  MESSAGES  are  made  by 
DATA  and  FILE  information,  a  single  DATA  item  or  FILE  may  be  used  to  make 
several  MESSAGES.  The  DATA  and  FILEs  that  an  interface  communicates  are 
those  that  MAKE  all  the  messages  that  PASS  through  the  interface.  A  FILE, 
as  used  here,  is  a  repetitive  set  of  one  or  more  DATA  items.  The  major 
source  of  MESSAGES  and  their  contents  also  was  Annexes  A  and  B. 

Each  input  and  output  file  in  Annexes  A  and  B  has  been  defined  as  an 
RSL  MESSAGE.  Where  necessary,  the  RSL  MESSAGE  name  was  slightly  modified 
from  Input/Output  File  Names  in  the  Annexes  to  insure  uniqueness.  For 
example,  the  suffix  MSG_IN  was  added  to  identify  the  input  messages  while 
the  suffix  MSGjDUT  was  utilized  in  a  like  manner  to  identify  the  output 
messages.  Because  RSL  allows  the  use  of  a  synonym  to  shorten  lengthy 
titles,  the  unique  number  provided  for  each  Input/Output  description  in  the 
DFSR  Annexes  (e.g.,  12  01  KZ)  was  employed  to  fulfill  this  role.  Where 
possible,  the  data  element  abbreviations  provided  in  the  Annexes  were  used 
as  the  RSL  DATA  names  within  each  RSL  MESSAGE.  In  order  to  assure  non- 
ambiguity,  each  DATA  item  is  named  uniquely.  It  was  necessary,  therefore, 
to  slightly  modify  the  abbreviated  data  names  in  Annexes  A  and  3,  and  to 
add  the  suffixes  IN  or  OUT,  respectively. 

In  RSL,  a  MESSAGE  is  MADE  BY  DATA  which  may  include  other  DATA.  A 
major  sunmary  DATA  item  made  each  MESSAGE.  It  included  all  of  the  data 
elements  contained  in  the  input  description  of  Annex  A.  This  allowed  use 
of  the  suninary  item  in  the  SREM  definition  of  processing,  but  the  system 
still  understood  that  all  the  INCLUDED  DATA  were  involved.  An  examole  of 
all  the  relationships  produced  from  the  requirements  data  base  for  the 
input  MESSAGE:  WRK  ORD  REGI STRATI 0N_DATA  MSG_IN  is  shown  in  Figure  3-2. 


3-9 


"eSSAflc:  ■^^K_3l^Q_S£^itSTRAT:0N_0ArA_^S5_:N 

£auATZO  TO 

srNONrM:  I2_3l^<2 

MAoe  ar 

OATa:  HON_j<T30_“iSa_TtP£ 

oata:  >i«(<_oKo-j»esisTaArzoN  j3ArA_<iS6_if»_i(>*^o 
1NCLU0£S 


oata: 

cowojiss  _■<£  I  na  _cus  r_iN 

oata: 

OIC.IN 

oata: 

£NO_iTeM  j:0Mt»_iNO_-L0_iN 

oata: 

£uulP_rteON_cO,l.'« 

oata: 

£UU  1 P  _$£>»■  J.  Cl _ COn_iO_Zn 

oata: 

£Iu£_inpt_act_co_:  ^ 

oata; 

ioeNT_*4o_ca_iM 

oata: 

INTHa^SHOP  CD  lit 

oata: 

IPO.IN 

oata: 

I  T£W^'IOMgN_i  T£.’«_,>*OJN_?LO_2n 

oata: 

'<ATJ1£ON_P£PT_OSG_I.'» 

oata: 

P«T_NO_PLO_rN 

oata: 

s6a_NO_i'4. 

oata: 

U'iC_CUST_lN 

oata: 

J'IC_SPT_In 

INCLUOCS 

oata:  0Esca_0So_ui:_i'^ 
oata:  pp*<T_oHa_osG_j 
OaTa:  SVC_Osa.JlC_lN 


Figure  3-2  Hierarchical  Definition  of  the  MESSAGE: 

WRK_0RD  JEGI STRATIONJ  ATAJISGJ  H 
3, 3. 3.1  Input  MESSAGE  Definition 

Frequently,  it  was  necessary  that  an  Annex  A  input  description  be 
structured  into  more  than  one  RSL  MESSAGE.  An  example  of  this  situation  is 
provided  by  the  input  description  for  "Work  Order  Requirements  Data".  This 
input  description  addresses  three  distinct  subjects  --  Tasks,  Parts,  and 
Supplemental  Parts.  Each  of  these  subjects  requires  a  separate  entry  into 
the  DP,  and  each  is  MADE  BY  different  DATA  items.  Thus,  under  the  SREM 
rules,  these  are  three  separate  input  MESSAGES,  and  each  is  subjected  to 
separate  processing  logic.  Accordingly,  this  requirement  with  the  input 
title  "Work  Order  Requirements  Oata"  in  Annex  A  resulted  in  the  following 
three  RSL  MESSAGES: 

wrk_ord_reomts_data_task_,msg_in 

WRK_0RD_RE0MTS_DATA_PARTS_MSG_IM 

wrk_ord_recmts_data_supl_parts_msg_in 

Table  3.3  provides  a  comparison  of  all  of  the  Annex  A  input  descriptions 
with  the  resultant  RSL  INPUT  MESSAGES. 


3-10 


r 


Table  3.3  Comparison  of  Annex  A  Input  Descriptions  and  Equivalent  RSL 
MESSAGE  Names 


SAMS  3FSR  ANNEX  A 

RSL 

INPUT  nuE 

IQ  CODE 

synonym 

INPUT  MESSAGE  .NAME 

WORK  ORDER  REGISTRATION  DATA 

12  01  KZ 

I2_01_KZ 

WRK_ORO_REGISTRATION_OATA_.MS6JN 

WORK  ORDER  REGISTRATION  AODCTIONAL  OATA 

12  02  K2 

12_02JZ 

WRK  ORD  REGISTRATION  ADOL  OATA 

RPR_MSG_IN  ~ 

I2_02A_ia 

WRK  ORO  REGISTRATION  AOOL  DATA 
dSL_M§'S_IN 

WORK  ORDER  REQUIREMENTS  OATA 

12  03  a 

I2J03_<2 

WRKJ0HDJEQMTS_3ATA_TASK^MSG_:n 

r2_03A_<2 

WRK_ORO_R£OMTS_3ATA_?ARTS_MS6_I N 

I2_03a_IC2 

WRKJORD_REQMTS_OATA_SUPL_PARTS_MSG_IN 

WORK  ORDER  consumption  OATA 

12  04  K2 

I2_04_ia 

WRK_ORO_CaNSUMPTIQN_3ATA_LAaOH_MSG_IN 

I2_04A-K2 

WRK_3RQ_C0NSUMPTI0N_3ATA_?ARTS_MSG_:N 

I2_04B_XZ 

wrk_oro_:onsumption_3ata_:ask_msgjn 

WORK  ORDER  STATUS  OATA 

12  05  <Z 

I2_05_<2 

WRKJOROJTATUS_3ArA_MSu_;N 

■maintenance  program  OATA 

12  06  KY 

t2_06_<Z 

MA  INT_P90GRAM_3ATA_MSG_:  N 

maintenance  PROGRAM  REQUIREMENTS 

12  07  SM 

I2_07_9M 

MA  triTJROGRAMJEOUI  R£MENTS^MSG_:n 

REPAIR  PART  MORTALITY  OATA 

12  08  3M 

i2_0a_3M 

R£PA  1  R_?  ART_m0RTAL  ITY_0ATA_MSG_IN 

PART  NUMBER  change  DATA 

U  11  <r 

I2J2_XY 

PAfiT_NUMB£R_.;HANGE_3ATA_MS6_IN 

PARTS  RECSIPTS/STATUS/RECONCILIATION 

12  I3  K2 

t2_I3_<2 

PRTS_RC?TS_3TATUS_RECCNCII_RC?T_MSG_:N 

:2J2AJZ 

prts_rc?tsjtatus_r£conc:l_R£S?on_msg_:n 

I2J38_XZ 

PRTS_RCPT3_3TATUS_RECONC:lJTATUS_MSGJN 

SUPPLY  STATUS 

12  IS  30 

I2J5JO 

supplyjtatus_msg_;n 

SHIPMENT  STATUS 

!2  18  30 

!2JSJ0 

SHIPM£NT_3TAnjS_MSG_:N 

1  SSL  aojustment 

12  17  YY 

12^1 7_<Y 

SHUP_3TDCX_lCST_A0JUSTHE,NT_A_MSG_;n 

1 

•2J  7A_<Y 

SHOP  _STOCX_L  I  ST_AOJUSTHENTJ_aSGJ  N 

I2j;8_<Y 

3HOP_SToc:<_L ;  st_aojustment_:_'T5g_'.  n 

1 

:2J70-<Y 

3ENCH_STQCX_A0JUSTME.NT_3_MSG_'.N 

12  J  7E_<Y 

3E.NCH_ST0CX_A0JUSTMENT_S_MSG_:n 

:2jrF_<Y 

3Ench_stocx_aojustment_-_''Sg_::i 

. 

•2_'  7G_<Y 

3£NCH_STOCX_iOJUS:MENT_S_ASG_;N 

SUPPLY  RECONCILIATION 

12  13  3M 

I2J3_3M 

SUPPLf_REC3NCILIATI0N_ANJ«SG_:N 

r2J3A_3« 

supply_rec3ncil;ation__a?_'<5g_:n 

1  »ORK  ORDER  ^ARTS  ACUUSTMENT 

12  ;o  <R 

I2J0_';R 

^RX_;RDJARTS_AOJUSTMEfi;_MSG_:.N 

j  fOUrPMEjNT  RECALL  ■'<£«  ITEM 

iZ  JO  <y 

;2_OOA_<Y 

£Cuip_recall_'.'Ew_:'e.mj_.<sg_:.n 

! 

1 

:2_:c8_<Y 

•  QU I  ?_RECALL  _'IEW_:  'EM  J_''5G_;.N 

S0U!P»S'ir  recall  reouire.ments 

;;  03  S.M 

-SOU !  ?  _RE  CAL  .  J  ECU  I R  EMEN  :  ;  ^■'SG  _  ,  N 

1  ALT'CRO  requirements 

:2  :4  3Y 

::_:4  jY 

AL  :  JRU  _P£CU ;  R EME.N  TS  _  'SG _ .  N 

i  RLOAT  -ILE  adjustment 

;2  AO  <Y 

;2_A0_<Y 

=LOAT  !  .£_A0..US7HEN  T  n 

JSAGE  OATA 

12  -:o  <R 

:2J0_<R 

JSAGEJArA_-SG_;N 

OSAGE  OEVICS  lOIRPONENT  CHANGE 

[2  so  <Y 

;2_51_<Y 

jSAGEjEv  1 CE  _;omponemt_;hang£  _msg_;n 

3-11 


- - - - -  .... 


r 


Table  3.3  Comparison  of  Annex  A  Input  Descriptions  and  Equivalent  RSL 
MESSAGE  Names  (Continued) 


$AHS  OFSR  ANN£X  A 

RSL 

INPUT  riTLE 

ID  CODE 

SYNONYM 

INPUT  message 

USAGE  EXCEPTION  LIST 

12  S2  SR 

12_52JR 

USAGEJXCEPT I  ON_L  1  ST_MSG_1N 

USAGE  DATA  SURVEY  (ANNOTATED) 

12  S3  4R 

I2_53_4R 

USAGE_OATA_SURVEY_ANNOTATED_MS6_IN 

TASX  PERFORHANCE  FACTOR  ADJUSTMENT 

12  M  <Y 

I2_S0_XY 

TASX_PERF0RMANC£_FACT0R_A0JUSTMEMT_MSG_!N 

JORK  CENTER  LABOR 

12  70  XY 

12_70_XY 

RORX_CENTER_LABOR_MSG_IN 

TAaCE  SUILO 

12  96  XY 

I2J6A_XY 

TABLE  JU1LD_£CC_MSG_1N 

I2_96B_XY 

TABLEJU 1  LD_WRX_RE0_STA_MSG_1  N 

12J6£_XY 

TAaL£_8UIL0JT0CK_Sr0CXAG£_LEVEL_;'tSG_IN 

I2_960_XY 

TABLEJU  I  L0_1  NOU 1 RY  _ACT  I  ON_MSG_lN 

I2_96E-XY 

TABL  £  JU  ILD_W0RX_CENTER_MSG_1  N 

INQUIRY 

12  9r  XY 

I2_97A_XY 

INQUIRYJMSGJN 

12_97B_XY 

I NQU 1  RY  JUMMARY  _MSG_1  N 

parameter 

12  9a  XY 

12  98A  KY 

-  - 

PARAMETER_F0LLQW_UP_MSG_IN 

l2_98fl_XY 

PARAMETER  J0RX_0RDER_M5G_I  N 

12_98C_XY 

PARAMETER  J0RXL0A0JACXL0G_AG£_MSG_IN 

12_980_XY 

PARAMETER_PART5JTATUSJETA1L_MSG_IN 

I2_9BE-XY 

PARAMETERJEPORTJONTROL  JSG_iN 

12_98f_XY 

PARAM£TER^VORS_YORM_t)ATA_MSG_lN 

I2_78G_XY 

PARAMETERJREVIOUSJYCLE  JATE_MSGJN 

I2_9BH-XY 

parameter  juty_hours_msg_in 

CROSS  REFERENCE  TRANSACTION 

12  79  XY 

;2_79A_XY 

CR0SSJ£FERENCEJRANSACTI0N_AJSG_!N 

i2J9B_XY 

CR0SS_REFERENCE_TRANSACTIQNJ__MSG_!N 

3-12 


3. 3. 3. 2  Output  MESSAGE  Definition 

The  output  descriptions  provided  in  Annex  B  were  the  source  for  RSL 
OUTPUT  MESSAGES.  An  example  of  an  output  MESSAGE  from  the  reouirements 
data  base  is  shown  in  Figure  3-3.  As  with  the  input  descriptions  of  Annex 
A,  the  messages  defined  by  the  output  descriptions  in  Annex  B  sometimes  had 


"CSSASe  :  FLO  A  r  _s  r  A  rU3_Ktr*UW  T  _fisS  _Ovj  t 

suuArto  ro 

StnonCm 

c 

1 

o 

L 

JOCUneiNTeo 

sit 

SOUHCS: 

SA«SJ_PA6E_d3 

"♦AOfi  BT 

UaTa: 

AU  t  rtH20_JN  r  Y  _OhF  _l 

uaTa: 

OArtj»we?_ut<o_iu_<»r 

QaTa: 

OaTa: 

I  TEH_^OMtN_l  rt«_NOlJN_FLL)_lO 

DATA : 

3WMA(«0_(J*t  rY_OHF_i  u_»  r 

OaTa: 

3  M  r  _NQ  '.0  _i  a  T 

Data: 

aTy_£NO»<_io_AT 

OaTa  : 

3rY_£Qw_io_*r 

data  : 

Jlc_ser_io_<.r 

OaTa: 

JN  i  T  _fiA«t_se  r  0  _i»  r 

Figure  3-3  Hierarchical  Definition  of  the  Output  MESSAGE; 

FLOAT_STATUS_REPORT_MSG_OUT 

to  be  divided  into  more  than  one  RSL  MESSAGE.  This  implied  reouirement  was 
determined  after  the  completion  of  an  analysis  of  the  hardcopy  formats 
provided  in  Annex  B.  These  formats  show  that  portions  of  the  outputs  are 
single  item  entries  (such  as  the  heading  information),  while  other  portions 
provide  fields  of  repetitive  information.  An  example  of  a  MESSAGE  that 
does  not  have  to  be  divided  is  shown  in  Figure  3-4.  In  RSL  terms,  the 
heading  information  is  a  group  of  DATA  items  (UIC_SPT,  WORK_CENTER_NR, 

DATE,  etc.).  Following'  the  header,  there  are  three  groups  of  repetitive 
sets  of  DATA.  These  groups  are:  1)  WORK  ORDERS  IN  PROCESS,  2)  WORK  ORDERS 
AWAITING  WORK  CENTER,  and  3)  WORK  ORDER  AWAITING  PARTS.  Within  each  of 
these  groups,  a  separate  line  of  information  (several  DATA  items)  is 
printed  for  each  Work  Order  that  meets  the  criteria  for  the  aroup.  Thus, 
in  RSL,  each  group  is  a  FILE  containing  multiple  instances  of  DATA  f one 
instance  for  each  line  to  be  printed  under  the  group).  Accordinoly,  the 


3-13 


Amsi-oi^ 


(VARTIME  ESSEUTIAL) 


02,  (SZ  WO!?K  Ccf'TeS  Summary 


ft  !,  '  lOUff]  I  m  *<3M-'9<  !■!  :a-nBM  iWawtUKc-yknumw  ■  .  '  Ymaii  '  '  SiuM  .  ;  I  .  .  6»IT 


IBgUBffB 


^i»nirr*i  'f,  r*»  i 


>  1  I  I  I  1  I  >  I«aw>  t  I  <  eg 


iMi^titfUiumaia  luaUNMnniM  UuuuAm»m«nwiflinuaiTUftwl  i  '  r  >i 


.liil't.ffxk. ^TTTT  II  I  I  II  M  yrTirT^TTT»^>»  M  ir  T-T^TI 


3!BfI 


f*XW* 


5ir^T*vi  5 


mmmmnmmmmmmmmmamammm 


3- 


KfSiAjfe,:  .»art<_CtNT£.-<_SUM‘^‘k«T_«iS5_3oT 

iQUATEO  ro 

sr'.'40i'4»'M:  'ja_0<2_AU 

-Aoe  ay 

^  .lOfA  _C!i.N  rO_^4«r3_'*io_JOT_lMrj 

contains 


OA  Ta  : 

0  A  r  t  _ACf' r_ofto_ou  r_-'w  f 

QA  Ta  : 

In  rRA_5n(oP_co_0(j  rj>H  r 

DATA : 

lK>0_OljT_f'HT 

OATa: 

IT£«_N0NtN_lTE'4_N0UN_f  UO  _0  0  r_3S  T 

OaTa: 

NM  _S.Af»  _rtN_OoT  jAh  T 

(jA  Ta  : 

NM_pf<o_rtN_ouT_A>ir 

OaTa: 

MM  NN  _T  £N  _0o  T  T 

OATa: 

?^(cC_•>^^_C£N_Q  JT_?^  r 

OATA : 

Se3_N0_ouT_?rtT 

CjaTa  : 

Tor  _fln_jA»A_AMT3_?HT_rc.N_0ur_,->MT 

OaTa  : 

ror_M«_-Mo_A«ir3_po  r.rc.  a_:or_,-Mr 

OaTa: 

TO  T  _|Mn_MMN_A«T3_'A*?T_  ri.N_OuT_r'Mr 

OaTa: 

Oi:_CUST_OUT_o^T 

OA  r  A ; 

A«-<_;Rea_sTA_co_ooT_AA  r 

OA  r  A : 

TH_»I_3C0_0yT_3RT 

FILE: 

•  0«K  _CtN_SU**M_AWR^wr(3_SrlOP_-<S3_JU  T_I  NP0 

contains 

* 

OA  Ta  : 

Oa  rc._ACHT_0N0_3UT_SriA 

l/aTa  : 

In  rRA_5MOP^CO_3vjT_SnA 

OA  r  A : 

IPO_Our_SMP 

OaTa  : 

[  Tt.M_N0MtN_ITE''_N0O.N  _TU1)  _J0  r_S-P 

QA  TA  : 

MM.^Ap_rtN_OuT_SrtP 

0*  Ta  : 

MM  _pR./_r£N_OuT  _SmP 

0  A  T  A  : 

MM_MMN_rEN_OUT_Sr'P 

QA  r- . 

PMiC_«RA  _CEn_Oo  r .SmP 

0  A  r  A . 

sE  3  _N0  _uiJ  T  _3mP 

OA  Ta  . 

TOT _MM  jiAP_A» T3_SnoP^rtN  _0i: T.SmP 

0  A  r  A  : 

TO  r  _MM_;'Mj_AMT3_iMWP_TE.N_'jij  T_SmP 

OA  r  A : 

TO  T_mm_mmn_amT3_5mOP  _££ N  _J0  T  ^SmP 

OA  r  A : 

OIC.CUST.oUT.SmP 

OaTa: 

Ap-^_Rt3_ST4_C0_0OT_»flP 

OATA  : 

tm  _•  1  _oco_'ou  r_3Mp 

EClE: 

aOaa 

,C£.M_SUMM_AMK_lN^'*0C£SS_M3u_JuT_I,Nf  0 

CO 

iTa ins 

OaTa: 

Oa  rE_ACPT_OHO_'JUT 

OaTa: 

FOL_««K_CtN_JoT 

0  A  r  A  : 

InTNA_SmOP_C0_JuT 

OA  r  A : 

IPO.OUT 

QA  Ta; 

I  TiM_NOMtN_l  rEM_AOUN_rt.;)  _jot 

oat.; 

MM_tAP_ieN_OOT 

0  A  T  A  : 

Mrt_3vt'<_i3'_TrN_0ur 

OA  Ta  : 

MM  _r  iN  _0u  T 

0  A  r  A  ; 

MM  _'AMN  _r£N^J(jr 

0  A  r  A  ; 

Sc  j_.NO_ou  r 

OA  T  A ; 

TO  r  _.MM_cAP^;N_3M0P_r  sn  _o  j  \ 

OA  T A  ; 

TOT  _MM  _0v£0  _£3  r  _TEm_  JO  T 

OA  r  A : 

TOT  _mm  _mmo  ^I.n_5mOP_T  £n  j  r 

0  A  Ta  ; 

TO  T_mm  _-MN_;N_5M0P_r  i  N  _o  J  i 

OaTa; 

jic_cu3r_our 

OaTa: 

T»_"(_3CO_our 

*Ot  rTf 

Oa Ti : 

aOHrt 

_CS.N  _3lJMM_,Me.A0e®  _MT>o_JO  T  ;F') 

[NCCJOtS 

0  A  r  A  ; 

OA  rc_-'oeK_jPo_Our 

04  r  A : 

u[:_5PT_our 

OaTa: 

ON  1 T  _NAm£_5P  r_OU  T 

04  r  A  ; 

•  MA  _C£N_CO_  jU  T 

OaTa: 

_ctN_soMM_r MA I££a_<5j_0j r_ : 

i'NCL  JUtS 

j4  Tii ; 

TOr_MM__iAP^»MK^CS:i^r£ 

j  a  r  .k : 

"or  _«M  j  _.M'<  _';cN_  ■  i  ■<  _  '  j  r 

J  ^  T  m  i 

Tor  _MM  ^^-'•MN  __aMK  *0  C.a  ^  T  -  a  j  f 

Figure  3-5  Hierarchical  Definition  of  the  Output  MESSAGE 
WORK  CENTER  SUMMARY  MSG  OUT 


A  problem  arises,  however,  in  properly  defining  the  processing  for 
the  output  description:  Equipment  Recall  Schedule,  as  shown  in  Figure  3-6. 
In  this  format,  a  multiple  listing  contains  several  end  items  of  equipment 
being  recalled.  Because  of  its  multiple  nature,  these  items  would  normally 
be  CONTAINED  in  a  FILE.  For  each  such  end  item,  a  multiple  list  of  Work 
Order  numbers  (one  for  each  item  of  that  type  being  recalled)  exists  which 
includes  other  data  to  be  printed  along  with  each  Work  Order  Number  on 
multiple  lines.  This  also  would  normally  be  organized  as  a  FILE  which 
CONTAINS  all  the  DATA  items  to  be  printed  on  each  Work  Order  Number  line. 

A  problem  exists  because  the  formal  foundations  of  SREM  do  not  allow  a  FILE 
within  another  FILE,  as  is  suggested  by  the  FILE  of  work  order  information 
lines  within  each  instance  of  the  FILE  of  end  items  as  shown  by  the  format 
of  this  report.  To  handle  this  situation  unambiguously,  this  output  must 
be  treated  in  RSL  as  two  MESSAGES.  The  first  provides  the  one-time  pro¬ 
vision  of  header  data,  which  is  illustrated  in  Figure  3-7.  The  second 
MESSAGE  is  MADE  BY  the  two  DATA  items  for  the  part  number  and  the  end  item 
nomenclature,  plus  a  FILE  which  CONTAINS  multiple  sets  of  the  DATA  for  the 
Work  Order  Number,  the  item's  serial  number,  the  maintenance  code,  and  the 
equipment  location.  The  RSL  implementation  of  the  second  MESSAGE  is  shown 
in  Figure  3-8.  Table  3.4  compares  all  the  Annex  B  message  names  to  their 
RSL  equivalents. 


Figure  3-6  Format  for  the  Equipment  Recall  Schedule  Report 


AAJXd2-06i 


MESSAGE  £QuIP_^ECALL_SCH£DUL£.m£aDER_MSG_OJT. 

Formed  by  alpha  p9ep_£qp_rcl_sch_heao£h_info_msg. 
MADE  ay 

DATA  0ATE_3R£P_0R0_22_4M 
DATA  UNIT_NAm£_SPT_22_4.M 
DATA  UIC^3T_22_A.M 
DATA  UNIT_MAM£_CUST_22_AM 
DATA  UIC«CJST_22_A.M  . 

Equated  to  synonym  02_22_^m. 


Figure  3-7  Hierarchical  Definition  of  the  Output  MESSAGE: 
EQUIP  RECALL  SCHEDULE_HEADER_MSG_pUT 


MESSAGE  EQUIP_RECALL_SCH£0ULE_MSG_0UT. 

Formed  by  alpha  PR£P_£QP_RCI _ SCiH_22_4M_MSG. 

made  3Y  data  3HT_N0J='uD_22_AM 

DATA  I T£M_N0MEN_I T£m_N0UN _FL0_2 2 _am 
file  EQurP_RECALL_SCH_OUT. 

EQUATED  TO  SYNONYM  02_22A_AM, 

file  eouip^recal! _ scH^our, 

CONTAINS 

DATA  £0UIP_5£h_lCL_C0N_n0_FL0_22_‘+m 

DATA  RQR_,MA  InT_CO_22_AM 

DATA  MA  I  NT_SC0_SVC  JDaT£_0RD_22_4M 

DATA  EQUIP_lOC_22_*m 

data  mRK_ODR_nO_22_am. 


Figure  3-8  Hierarchical  Definition  of  the  Output  MESSAGE: 
EqUIP_RECALL_SCHEDULE_MSG_OUT 

3-18 


Table  3.4  Comparison  of  Annex  B  Output  Description  and  Equivalent  RSL 
MESSAGE  names  (Continued) 


SHOP  SToa  ULAna  wirr 


SMv  SToa  LoarQ« 


SMf  SToa  uraiir 


wio  $73a  .:sr 


4on  outra  ^Rsowci. 


LAMt  jrTucanai  xria 


OMt  zikfA  uirm 


iSMS  actarai  i^isr 


SW  JTOa  S7^3R0  JAUsce. 

»op  jToa  j.  isrj2jaiAuiMezjtP<3iir^ 

^  OUT 


»»  rrwx  ^S7 

.  12  .-2  4M  , 

12  :9 

iToa  ..'ST  -CAoea  -?c  :ut 

i  i 

tCM 

»  »  4l«  : 

3*oa  sTca  .:sT  :ut 

I  3w_rTOt^.oaTo«_>isn.’i6j<£«cjij«cj3UT 


I  I 


32  Al'AT  .  32  Al  tt  :| 


si«o»^rnxx  j.2a  roa  :  rr  :mc  ^-ss  _3ut 


JTOOt  jaiJTlA 

s«»_rroa_:3«inuiiJTjar^siB«B_«c^:uT 


aoiajTaa_.iST^<AOMj«&_jjT 
iOQi  rnsa  ,:r  ^ 


MA  grtUlAHON 

12  40  4U 

lajoA^v 

w«Oa  jTt  UiATT  OH  ^-.LMW^^C^lUT 

'  1 

1  ; 

12^SQ|-«T  : 

-A»oajjnuiAr:a»^4i»«ABT^^^4¥An.."sajuT 

1 

'  32_4aC-4T  I 

!  ■ 

WJQOjAT  ; 

w**o«  ^mu::An  w.aa*4wit  ^ijitT  JUT 

1 

1  .  1 

1  32,5QC  *»  1 

1  -Wja  'jTTtllATTai  Vjmun  iHIT  ja  •«  OUT 

«  «  a  .  jUJ»Vff^'*SC^XlT 


12  41  }»  !  12  41  »  :  liMii  .;ST  lur 


4WK  OROCR  3AM 

,  12  JO  4U  i 

;  i 

:2jo_flij| 

32^50 

:i 

j  43*KJR0ta, 
1  43iiK_:aoCT 

.lATIJiSX^ntJUT 

J*T»J4tT5^nC_3UT 

:zjo  ?w 

'  :90ca 

:*ri  3%iizT7Ar::n  -?c  :uf 

lAM 

12  12  W 

:2,12A_}U 

)ZJZ9-Vt 

:f?a  j:ui2 

IZJZCJM  ‘ 

jTuja;uST^MT_'5G_:uT 

32^420 

tF»a_.af^r-4_>aoB  JUT 

;2_»2C^!W 

•  fTjt  j«rr_  -a^if  a  _r<4«£  jjk  rx  j^c  _  :ur 

:2j2r_»»i  ' 

tata  jiS2  j4r-:a^iiXiU’STvciT^-^G_?uT 

:2_J2C^«  * 

t^^jSAC2_:EVtC£.:3»Wl€aT_ri«8t_'*56JUT 

:2  j2»^^ 

t  F?s  SMC  _:AT»  jVi  T 

32  J2:  jy 

_:aoss_>€F  _  J  _'Aao  _:u- 

:ZJZJ  ’M 

F?a  :aoss  jCf_  ^t^:_:.;«o_-sc_'’jr 

Table  3.4  Comparison  of  Annex  3  Output  Description  and  Eouivalent  RSL 
MESSAGE  names  (Continued) 


nmx  i 

UL 

WTWT  TTLE 

:z  :oac 

STioirM 

)UTW  'CSSMI  'TTU 

ACTiTiTT  «guiM?<nn 

32  ds  » 

32,33 

AO 

32_53J0, 

if} 

St#  iCT  vwn  A9  Avr  9C0  im  ;ii  ‘*$6  3ut 

SI#  _iCT_Wn,VH_»fT5,»BDUI,*1blIII^'*SG_3UT 

«o)iiciLL»noii  aamoH  vntr 

J2  32  *m 

32,3SJHJ 

yzjAjm^ 

tt 

It: 

^tcaiui.  ixart  vr^jKOtfr-aM  .n^jur 

ajcaMCiL.attPr^iFT^xc^M^wjecMfl.-sfi^a/T 

amr  Acnvcrr  wxirsKurs 

J2  M  4a 

32  324-40 

32,3M-40 

njujQ 

U0P  icmjxmjpnj^njtaut_"!mtxja6juT 

SJ#P,*Cn  V  ,»0m?  ^n3u^^»0«J,<S  ,3UT 

(MKiunvc  sQuiPMQir  iTAriii 

_ 

22  a.iO 

i2J9AJit 

ajnjn 

'  i¥»  ,*  ou  1 9  ,iTA  r  snu  r  on  j^ajvr 

:  rfl#,60ui  ?,sTATus  ,:at»  j>an  j«g  jut 

3.4  DEVELOPMENT  OF  GLOBAL  DATA 


There  are  two  categories  of  DATA  in  RSL:  LOCAL  and  GLOBAL. 

Data  which  is  LOCAL  is  associated  only  with  the  R_NET  in  which  initialized 
or  in  which  introduced  (by  an  input  MESSAGE  or  the  OUTPUT  FROM  an  ALPHA) 
and  is  not  accessible  to  any  other  R_NET.  It  exists  only  until  processing 
in  that  R_MET  is  complete.  For  example,  if  there  is  a  DATA  item  called  X 
which  is  LOCAL  to  an  R_NET,  each  time  that  the  R_NET  is  traversed,  X  will 
have  a  value,  but  each  time  the  value  may  be  different,  and  only  the  cur¬ 
rent  value  of  X  is  available  for  any  given  traversal.  GLOBAL  DATA,  on  the 
other  hand,  is  permanent  and  can  be  accessed  by  any  R_NET  any  time  it  is 
traversed. 

The  concept  ENTITY  is  used  as  a  means  of  organizing  the  global  data 
in  REVS.  An  ENTITY_CLASS  is  a  repetitive  data  set  which  is  meant  to  cor¬ 
respond  to  some  real  object  or  conceptual  entity  which  is  of  concern  to  the 
DP,  and  an  ENTITY_TYPE  is  a  sub-classification  within  an  ENTITY_CLASS.  An 
ENTITY_CLASS  is  COMPOSED  OF  ENTITY_TYPEs.  ENTITY_CLASSes  and  ENTITY_TYPEs 
have  GLOBAL  DATA  and  FILES  ASSOCIATED  WITH  them.  DATA  or  FILES  which  are 
common  to  all  the  ENTITY_TYPEs  in  the  ENTITYJILASS  are  ASSOCIATED  WITH  the 
ENTITY JILASS,  and  each  ENTITY_TYPE  in  the  ENTITYJILASS  can  have  different 
DATA  or  FILES  ASSOCIATED  WITH  it.  An  ENTITY_CLASS  or  ENTITY_TYPE  usually 
possesses  several  instances  of  the  set  of  DATA  and  FILEs  ASSOCIATED  with 
it.  The  definitions  for  RSL  elements  and  relationships  which  apply  in 
developing  the  GLOBAL  data  for  the  MOMs  DFSR  are  given  in  Table  3.5,  and 
their  interrel ationships  are  illustrated  in  Figure  3-9, 

Some  GLOBAL  DATA  or  FILEs  are  not  associated  with  an  ENTITY_CLASS  or 
ENTITY_TYPE  because  there  is  never  more  than  one  instance  of  them  main¬ 
tained  GLOBALLY  in  memory.  These  may  be  GLOBAL  flags,  GLOBAL  lists,  GLOBAL 
constants,  or  any  other  DATA  items  whose  values  change  fnom  time  to  time, 
but  for  which  no  more  than  one  value  is  ever  resident  at  one  time.  In  the 
MOMs  DFSR,  an  example  is  CURRENTJDATE  which  is  used  as  the  source  of  infor¬ 
mation  for  transfer  as  DATA  being  stored  in  an  ENTITY_CLASS  or  ENTITY^TYPE 
during  certain  processing. 

The  ENTITY_CLASSes  and  ENTITY_TYPEs  were  developed  orimarily  from 
Annex  D  of  the  MOM  DFSR.  Each  data  base  descriotion  in  Annex  D  was  treated 
as  an  ENTITY_CLASS  with  at  least  one  ENTITY_TYPE  being  assigned  to  each. 
SYNONYMS  were  assigned  to  each  ENTITY_CLASS,  using  the  File  ID  from  the 

3-23 


f 


AUXdJ-Oitl 


Table  3.5  RSL  Definitions  Used  in  the  Development  of  ENTITY_CLASSes  and 
ENTITY  TYPES 


OEFINITION  OF  ELEMENTS 

£NTITY_CUSS 

A  SENEPAL  CATEGORY  OF  OBJECTS  OUTSIDE  THE  DATA  PROCESSING 
SUBSYSTEM.  THE  OBJECT  ARE  THOSE  IN  THE  ENVIRONMENT  ABOUT 
'WHICH  THE  OATA  PROCESSING  SUBSYSTEM  MUST  MAINTAIN  INFORMATION. 

£NTn7_nPE 

A  SUBSET  WITHIN  A  GENERAL  CUSS  (ENTITY_CLASS )  OF  OBJECTS 

OUTSIDE  THE  OATA  PROCESSING  SUBSYSTEM  ABOUT  WHICH  THE  OATA 
PROCESSOR  MUST  MAINTAIN  INFORMATION. 

FILE 

AN  AGGREGATION  OF  INSTANCES  OF  OATA,  EACH  INSTANCE  OF  WHICH 

IS  TREATED  IN  THE  SAME  .MANNER. 

DATA 

A  SINGLE  PIECE  OF  INFORfAATION  OR  SET  OF  INFORMATION  REQUIRED 

IN  THE  IMPLEMENTED  SOFTWARE. 

OEFINITION  OF  REUTIONSHIPS 

COMPOSES 
(COMPOSED  OF) 

IDENTIFIES  TO  WHICH  £.NTm_CUSS  AN  £NTITY_nPE  BELONGS, 

ASSOCIATES 
(ASSOCIATED  WITH) 

IDENTIFIES  WHICH  DATA  ANO  FILES  COME  INTO  EXISTENCE  WHEN  A 

OATA  PROCESSING  STEP  (AN  AL.OHA)  EITHER  CREATES  AN  INSTANCE 

OF  AN  ENTITY  CUSS  OR  SETS  THE  ENTITY  HPE  OF  an  INSTANCE  OF 

AN  ENTITY_CLASS. 

CONTAINS 
(CONTAINED  IN) 

IDENTIFIES  THE  MEMBERS  OF  EACH  INSTANCE  IN  A  FILE;  OATA  MAY 

BE  CONTAINED  IN  ONLY  ONE  FILE. 

INCLUDES 
(INCLUDED  IN) 

INDICATES  A  HIERARCHICAL  REUTIONSHIP  BETWEEN  OATA;  *HAT  IS 

OATA  INauOES  OATA. 

-  CONTAINS  - m- 

CONTAINED  IN  - 


Figure  3-9  GLOBAL  DATA  and  FILE  Interne! ationshi os 


3-24 


equivalent  file  description  in  Annex  D.  Table  3.6  provides  a  comparison  of 
the  files  in  Annex  D  and  RSL  equivalent  ENTITY_CLASSes.  An  example  of  a 
completely  defined  ENTITY_CLASS  from  the  requirements  data  base  is  shown  in 
Figure  3-10. 

An  instance  of  an  ENTITY_CLASS  is  equivalent  to  a  record  in  a  file  of 
Annex  D.  A  new  instance  of  an  ENTITY_CLASS  (a  record)  is  CREATED  BY  an 
ALPHA  in  an  R_NET,  and  the  data  stored  in  the  new  instance  of  the  ENTITY_ 
CLASS  is  typically  provided  by  one  of  the  input  MESSAGES  described  as 
real-time  processing  (e.g.,  XMA,  XMB,  etc.). 

A  particular  instance  of  an  existing  £NTITY_CLASS  or  ENTITY_TYPE  may 
be  SELECTed  in  an  R_MET  or  SUBNET  such  that  a  certain  boolean  condition 
exists.  An  example  of  the  use  of  the  SELECT  node  is  shown  in  Figure  3-1 la. 
Once  selected,  all  the  DATA  and  FILE  information  ASSOCIATED  with  the  selec¬ 
ted  ENTITY_CLASS  or  ENTITY_TYPE  remains  available  until  another  instance  of 
the  same  ENTITY_CLASS  or  ENTITY_TYPE  is  selected,  or  the  processing  on  the 
R_NET  on  which  SELECTed  is  completed. 

A  sequence  of  SELECTS  can  be  defined  in  an  R__NET  or  SUBNET  by  using 
the  FOR  EACH  node.  This  may  be  non-conditional,  as  shown  in  Figure  3-llb, 
which  means  that  all  instances  of  the  defined  repetitive  set  (an  ENTITY_ 
CLASS,  an  ENTITY_TYPE,  or  a  FILE)  are  each  selected  in  turn  and  subjected 
to  the  processing  described  by  the  ALPHA  or  SUBNET  which  follows  the  FOR 
EACH  node  (the  ALPHA  and  SUBNET  are  the  only  legal  nodes  that  can  follow  a 
FOR  EACH).  The  FOR  EACH  may  also  be  conditionally  constrained,  as  illus¬ 
trated  in  Figure  3-llc.  In  such  a  case,  only  the  members  of  the  repetitive 
set  for  which  the  conditional  statement  is  true  are  selected  in  turn  for 
the  indicated  processing  of  the  following  ALPHA  or  SUBNET. 

Finally,  at  some  point  in  the  processing,  ENTTTY_CLASS  instances  will 
typically  no  longer  be  needed  and  should  be  purged.  This  is  accomplished 
by  selecting  the  appropriate  instance  of  the  ENTITY_CLASS  which  can  then  be 
DESTROYED  BY  an  ALPHA. 


3-25 


Table  3.6  Coinparv.oii  of  Annex  D  Files  and  Equivalent  RSL  ENTITY  CLASSes 
and  ENTITY  TYPES 


PAKAHETtR  WUMklUAO  BACKIOG  AGt  XH/  C  UAUS 


Table  3.6  Comparison  of  Annex  0  Files  and  Equivalent  RSL  ENTlTY_CLASSes 
and  ENTITY  TYPES  (Continued) 


f-PO-TSXfW 


tNTITY_CLASS:  CfiOSS_^£FESe.NC£_FlL£ 

EQUATED  TO 

SYNONYM;  F2_0 1_8P_XR£F 

documented  aY 

SOURCE:  APP_0_RAG£_D2 

composed  of 

£NTITY_TYPE:  MANeUV£R_CUSTOMER_0«CAfiO 

ASSOCIATES 

data:  MNVR_CUST«CR_R£F_INF0 

INCLUDES 

DATA:  AAC_CUST_CRF_a 

data;  ACCT_pROC_FLD_CUST_CRF_a 
DATA;  CAROJ3SG_CO_SAMS_C^F_d 
DATA:  COMO  J3S6_MSTR_R£C_CHF_B 

DATA:  COmO_DSG  JR£IMB_CUST_CHF_3 

data;  UIC_CUST_CRF_B 
DATA.  UlC.PRNT  JJNIT_CUST_CRF_B 
DATA;  UNIT_NAME_CUST_CRF_B 
data:  UNIT_^<AME_PRNT_CUSr_CRF_3 

£nTITY_TYP£:  SUPPOftT_UNlT_A_CARO 

ASSOCIATES 

data:  SPT_UNIT_CR_H£F_InFO 

INCLUDES 

DATA;  AAC_SPT_CRF_A 
data;  ACCTJ3R0C_FLD_5PT,:RF.A 
data;  CARO_DSG_CO_SAMd_c^F_A 
data;  CONO  J)SG«REIMd_CUST_CRF_A 
data;  UIC^RnT_UNIT_5PT  CRF.A 
data;  UIC.SPT_INDIC_CSF_a 
data;  UNIT_NamE_PRnT_SPT_CHF_^ 
data;  unit J^AME_SPT_CSF  a 

ASSOCIATES 

DATA :  ^OR_DATA_ELEM£NTS_CR_PEF_INFO 


INCLUDES 

DATA : 

COnO_OSG_R£PT_RQmT_CRF 

OaTa  : 

F  IlE_IDEnT_NO_CO_CHF 

DATA : 

lNa_ACT_CD_CHF 

0  A  T  A  : 

nopm_«pk_fo_ten_crf 

DATA : 

PCN^CHF 

Data  : 

PREV  _DAY_CYC_DATE_CriF 

data: 

Pfl£v_MO_CYC_DArE_CHF 

DA  TA  : 

P«EV_«(<CY.CYC_DArE_CRF 

data: 

P£  =  _£NO  J3ATE_0PD_CPF 

data; 

RE  =  _START_DATE_aHO_CPF 

a:  JIC_ 

5PT_CRF 

includes 

OATa  : 

0£SCRIPTIV£_0E5IG_CHF 

data; 

PRnT_ORG_U£SIG_CHF 

data  : 

SVC  J3E5IG_CRF 

Figure  3-10  Hierarchical  Definition  of  the  ENTITY_CLASS 
CROSS  REFERENCE  FILE 


r 


2 


< 

z 

o 


o 

< 


z 


3 

Z 


3-30 


gure  3-11  Examples  of  a  SELECf  and  FOK  EACH  Node 


3.5  DEVELOPMENT  OF  REQUIREMENTS  NETS  (R_NET) 

Once  the  interfaces,  and  MESSAGES  that  cross  these  interfaces,  were 
identified,  analysis  of  the  processing  stimulated  by  the  receipt  of  the 
input  MESSAGES  was  initiated  and  documented  by  development  of  R_NET  and 
SUBNET  structures.  Definition  of  the  elements  and  relationships  used  in 
development  of  R_NETs  is  shown  in  Table  3.7.  The  inter-relationships  of 
these  items  is  provided  in  Figure  3-12. 

3.5.1  R  NET  Considerations 

Functionally,  the  R_NETs  describe  the  processing  steps  ( ALPHAS )  which 
must  be  performed  as  a  result  of  the  arrival  of  each  input  MESSAGE,  the 
sequence  of  the  ALPHAS,  the  logical  process  branching,  and  the  output 
MESSAGES  which  the  data  processer  is  required  to  produce. 

The  R_NET  resembles  a  traditional  flow  chart  in  appearance  and  repre¬ 
sents  the  processing  required  in  response  to  each  possible  stimulus.  This 
stimulus  may  be  either  of  two  types  —  the  arrival  of  a  MESSAGE  from 
another  SUBSYSTEM  at  the  INPUT_INTERFACE  on  the  R_NET,  or  the  occurrence  of 
some  EVENT.  In  the  former  case,  the  R__NET  is  said  to  be  ENABLED  by  the 
INPUT__INTERFACE  and  this  interface  appears  as  the  first  node  on  the  R_NET 
structure.  In  the  latter  case,  the  R_NET  is  ENABLED  by  the  EVENT,  which 
itself  appears  as  a  node  on  some  R  NET  or  SUBNET  (or  on  more  than  one  such 
structure)  in  the  system.  The  interpretation  is  that  the  subject  R_NET  is 
ENABLED  whenever  control  reaches  the  EVENT  node  on  the  R_NET  or  SUBNET  on 
which  the  EVENT  appears. 

An  ALPHA  is  a  processing  step  which  possesses  a  single  entry  and  exit 
path.  The  ALPHA  processes  DATA  and  FILE  information  which  is  INPUT  TO  it, 
accomplishes  the  appropriate  DATA  transformations,  and  OUTPUTS  the  result¬ 
ing  DATA  and  FILE  information  for  GLOBAL  storage,  for  use  in  subseouent 
branching  logic,  for  use  in  following  ALPHAS  or  for  producing  an  output 
MESSAGE.  An  ALPHA  may  also  describe  other  processing.  For  example,  an 
ALPHA  can: 

•  FORM  an  output  MESSAGE. 

•  CREATE  a  new  instance  of  an  ENTITY  CLASS. 


3-31 


Amut  AiOJ 


Table  3.7  RSL  Definitions  Used  in  the  Development  of  R  METS 


OEFTNITTGN  OF  ELE.HE.NTS 

Rjrr 

A  STRUCTURED  3RAPH  Of  LOGICAL  PROCESSING  STEPS  HAT  HUST  3E 

PERFORMED  3Y  HE  OATA  PROCESSING  SUBSYSTEM  IN  RESPONSE  *0 

E.XTERNAL  OR  INTERNAL  STIMULI.  HE  PROCESSING  STEPS  ARE  ALPHAS 

OR  SUBNETS  WHICH  MAY  3E  EaPANOED  TO  LOWER  LEVELS  OF  DETAIL. 

SUBNET 

A  SUBSTRUCTURE  OF  LOGICAL  PROCESSING  STEPS  HAT  MUST  3E  PER¬ 
FORMED  TO  ACCOMPLISH  HE  RECUIREME.NTS  OF  HE  NEAT  HIGHER 

NETWORK  (SUBNET  OR  RJNETI  ON  WHICH  HE  SUBNET  IS  REFERENCED. 

ALPHA 

A  3ASIC  PROCESSING  STEP  IN  HE  FUNCTIONAL  REQUIREMENTS. 

BmTY_CUSS 

A  GENERAL  CATEGORY  OF  OBJECTS  OUTSIDE  HE  OATA  PROCESSING 

SUBSYSTEM.  HE  OBJECT  ARE  THOSE  IN  HE  ENVIRONMENT  ABOUT 

WHICH  HE  OATA  PROCESSING  SUBSYSTEM  ,MUST  MAINTAIN  INFORMATION. 

£NTITY_nPe 

A  SUBSET  WIHIN  A  GE.NERAL  CLASS  (£NTITY_CUSS )  OF  OBJECTS 

OtrrSIQE  HE  OATA  PROCESSING  SUBSYSTEM  ABOUT  WHICH  HE  OATA 

PROCESSOR  .MUST  MAINTAIN  INFORMATION. 

.HES3ASE 

AN  AGGREGATION  OF  OATA  ANO  FILES  HAT  PASS  HROUGH  AN  INTE.R- 
FACE  AS- A  LOGICAL  UNIT. 

FILE 

AN  AGGREGATION  OF  INSTANCES  OF  OATA,  EACH  INSTANCE  OF  -HICH 

IS  HEATED  IN  HE  SAME  .MANNER. 

OATA 

A  SINGLE  PIECE  OF  INFORMATION  OR  SET  OF  INFORMATION  REOUIRED 

IN  HE  IMPLIMENTED  SOFTWARE. 

DEFINITION  OF  RELATIONSHIPS 

CREATES 
(CREATED  3Y) 

INDICATES  HAT  HE  ALPHA  C.R£.ATtS  AN  INSTANCE  OF  HE  £,NTI7I_CLA5S. 

DESTROYS 
(DESTROYED  8Y) 

INDICATES  HAT  HE  ALPHA  OESHOYS  HE  CURRENTLY  SELECTED  INSTANCE 

OF  HE  £NTin_CUSS. 

j  FORMS 
!  (FORMED  3Y) 

INOICATES  HAT  HE  ALPHA  ESTABLISHES  HE  'MESSAGE  AS  HE  ONE  "0  3£ 

1  PASSED  3Y  HE  CORRESPONDING  OUHUT  INTERFACE  .VHEN  HAT  :nTE.:?FAC£ 

1  IS  ENCOU.NTEREO  O.N  HE  NET. 

INPUTS  j  IDENTIFIES  HE  DATA  anQ  iILES  OSEQ  3Y  HE  ALPHA. 

(INPUT  TO)  1 

!  OUTPUTS  1  IDENTIFIES  HE  DATA  ANO  -IL£3  -HOSE  VALDES  OR  ODNTENTS  ARE  hOOIFIED 

i  (OUTPUT  -ROM)  i  3Y  HE  ALPHA. 

-  iSTS  ;,'(0ICATt3  "HAT  *>!£  ALPHA  £3TAaL:3HE3  HE  ZLRRENTl/  S£L£CTc3  INSTANCi 

'  SET  3Y)  !  OF  AN  LNT!TY_:LAS3  *0  3E  OF  -HE  £:<T:T'_-'PE . 


I  OONTAINS  ;0EJ(T:FvE3  "HE  HEW8ERS  OF  EACH  LNSTifNCc  :n  A  -IL£.  0A7A  ‘'AY  3E 

i  :CSNTAiN£D  ;h)  |  'ONTAJNEO  IN  ONLf  ONE  "L£. 

I  :.‘1CL0CE3  ;N0:CATc3  a  HIERARCHLCAL  ASUATOONSHi?  3£“.i££H  OATA,  "AAT  '.O  OATA 

:  I.NCLLIOEO  IN)  i  INCLLOES  OATA. 

i _ • _ _  _ _  _ 

I  J.E.-E.RS  ^  :nOICATE3  £L£.’''£:iT  "'=£3  TaaT  -RE  IN  "A£  OTR'JC'JRE  IF  A  3_i£-  :r 

;  REFERRED  3Y '  ,  31J3NET. 


3-32 


•  SET  a  transfonnation  of  an  ENTITY_TYPE  from  one  type  to 
another. 

#  DESTROY  an  instance  of  an  ENTITY_CLASS  (to  include  its 
COMPOSED  ENTITY_TYPE). 

As  subsequent  analysis  of  processing  continues,  it  may  be  determined 
that  some  logical  branching  is  appropriate  wi thi n  the  ALPHA  such  that  more 
than  one  output  path  could  occur.  In  such  a  case,  it  should  be  replaced  by 
a  SUBNET  which  can  contain  processing  logic.  The  SUBNET  is  treated  as 
though  the  flow  path(s)  in  the  SUBNET  were  physically  inserted  into  the 
higher  level  flow  path  of  the  structure  on  which  it  is  located. 

More  complex  flow  situations  are  expressible  in  RSL  by  the  use  of 
structured  nodes  which  fan-in  and  fan-out  to  specify  different  processing 
paths.  The  structured  nodes  are  the  AND  and  OR  nodes. 

The  meaning  of  an  AND  structure  is  that  the  paths  are  mutually  order- 
independent,  The  processes  or  parallel  paths  may  be  executed  in  any  order, 
or  even  in  parallel.  The  fan-in  at  the  end  of  the  AND  structure  is  a 
synchronization  point.  All  of  the  parallel  paths  must  be  completed  before 
any  of  the  processes  following  the  rejoin  are  performed.  There  are  two 
types  of  OR  nodes:  the  basic  OR  node  and  the  CONSIDER  OR  node.  For  the 
basic  OR  node,  the  condition  on  each  exit  of  the  node  is  a  standard  Boolean 
expression  which  may  involve  DATA  elements  and  constants.  This  condition 
is  evaluated  when  the  OR  node  is  reached.  The  first  condition  to  be  eval¬ 
uated  as  TRUE  specifies  the  exit  branch  to  be  followed.  To  orevent  pro¬ 
blems  if  all  specified  conditions  are  FALSE,  an  OTHERWISE  declaration  is 
used  to  specify  a  branch  to  be  followed  in  such  a  case.  Thus,  a  basic  OR 
node  must  have  one  branch  with  an  OTHERWISE  declaration.  The  basic  OR  node 
is  illustrated  in  Figure  13a. 

The  CONSIDER  OR  node  allows  branching  on  the  value  of  DATA  which  -s 
of  TYPE  ENUMERATION,  or  branching  on  the  ENTITY_TYPE  of  the  currently 
SELECTed  ENTITYJSLASS .  Each  branch  of  the  CONSIDER  OR  has  an  associated 
criterion.  DATA  with  TYPE  ENUMERATION  have  values  which  are  expressed  as 
words.  The  criteria  specify  which  branch  is  to  be  taken,  based  on  the 
value  of  the  enumerated  DATA  item  under  consideration.  All  of  the  legal 
value  names  must  appear  once  and  only  once  in  the  branching  criteria. 

Since  the  criteria  for  a  CONSIDER  OR  must  be  exhaustive,  an  OTHERWISE 


3-- 34 


>0 

Ci 


I 


OTHERmSE 


0 


(PRT_NO_FLQ_MORf* 
PRT  NO  FLO  IN) 


© 


FILE  INPT  ACT.  CO  IN 


INTERPRETATION:  IF  THE  THO 
IfnnCATEDUATX  ELEMENTS  HAVE 
THE  SAME  VALUE.  CONTINUE 
PROCESSING  DOWN  BRANCH  (T). 
OTHERWISE,  CONTINUE  PROCESSING 
DOWN  BRANCH  (7^. 


INTERPRETATION;  CONSIDER  THE  VALUE 
OrTHE  'rUD'TCATED  OATAELEMEN^  IF  ITS 
VALUE  IS  A.  PROCESS  BRANCH  ©. 

OR  IF  ITS  VALUE  IS  B.  PROCE^  BRANCH 
OR  IF  ITS  VALUE  IS  0,  PROCESS  BRANCH 


A:  A  BASIC  OR  NODE 


3:  A  CONSIDER  OR  NODE 


Figure  3-13  The  Two  Kinds  of  OR  Nodes 

branch  is  not  allowed.  An  example  of  a  CONSIDERJOR  is  shown  in  Figure 
3-13b. 

Figure  3-14  shows  the  R_NET,  SUBNET  symbology  used  for  SREM  structure 
development.  All  but  the  final  symbol,  the  VALlDATION_POINT,  were  used  in 
the  MOM  OFSR  effort.  The  VALIDATION_POINT  would  be  used  in  Phase  6  of  SREM 
which  was  beyond  the  scope  of  this  effort, 

3.5.2  Example  of  an  R  NET  Development 

R_NETs  are  developed  in  a  top  down  fashion,  and  any  SUBNET  defined  on 
the  R_NET  (or,  for  that  matter,  on  a  SUBNET)  is,  itself,  subjected  to 
definition  of  the  logic  of  processing  it  represents.  For  example,  the 
R_NET;  PROCESS_jMOM_K£YBOARD_INPUT,  Figure  3-15  defines  the  orocess'ng  '^nr 
all  input  MESSAGES  passing  the  INPUT_INTERFACE :  FROM  MOM  <E''5CARD.  Net? 
that  the  first  branch  decision  is  accomplished  by  determining  ‘he  -  * 

MESSAGE  received  through  the  INPUT  INTERFACE,  ’he  Drncess'>a 


AD-AIOO  720  TRN  DEFENSE  AND  SPACE  SYSTEMS  SROUP  HUNTSVILLE  ALA  F/«  9/2 

APPLICABILITY  OF  SREM  TO  THE  VERIFICATION  Of  MANASEMENT  XNFORMA-^TC(U) 
APR  81  R  P  L0SHB0U6H«  M  «  ALFORO*  J  T  LAWSON  DAHC26-S0-C-0020 
UNCLASSIFIED  TRW-37554-6950-001-V0L*!  NL 


SYMBOLOGY 


ALPHA 

AND 

© 

ENTRY  NODE  ON  RJET 

ENTRY  NODE  ON  SUBNET 

V 

EVENT 

© 

FOR  EACH 

© 

INPUTJNTERFACE 

o 

IF  OR  - 

© 

CONSIDER  OR 

OUTPUTJNTERFACE 

(  ) 

SELECT 

© 

SUBNET 

O 

RETURN 

A 

1  TERMINATE 

1 

A 

J  VALIDATIONJQINT 

© 

Figure  3-14  R_NET,  SUBNET  Symbology 
3-36 


r 


Figure  3-15  RNET:  PROCESS_MOM_KEYBOARD_INPUT  (MET  RTIOOO) 

MESSAGE  is  defined  on  a  separate  processing  path  by  a  SUBNET  which  contains 
the  processing  intended  on  that  branch.  The  decision  on  which  processing 
path  to  be  taken  is  based  on  the  value  of  DATA;  MOMJ<YBD_MSG_TYPE  which  is 
of  TYPE  ENUMERATION.  Thus,  the  OR  node  is  a  CONSIDER  OR. 


3.5.3  Definition  of  SUBNET  Processing 

Each  SUBNET  is  further  defined  separately.  The  SUBNET:  PERFORMANCE_ 
ST0RE_TEMP_INF0  (not  shown)  is  a  complex  SUBNET  which  branches  to  indivi¬ 
dual  processing  paths,  depending  on  the  value  of  the  DATA  item:  DIG  (e.g., 
XMA,  XMB,  etc.).  For  example,  one  branch  for  XMA  contains  the  SUBNET: 


PROCESS_XMA_ENTRY.  This  SUBNET  is  shown  in  Figure  3-16  and  is  a  summary 
net,  in  that  it  is  defined  as  three  other  SUBNETS.  Note  that  two  of  the 
SUBNETS  have  SYNONYMs  shown  (e.g.,  AlOOl,  and  A1008).  The  third  SUBNET  is 
indicated  as  undefined.  This  is  because  no  processing  logic  was  described 
for  the  legal  condition  where  the  value  of  the  DATA  item  FILE_INPT_ACT_ 
CD_IN  was  0.  This  is  an  example  of  incomplete  logic  documented  in  a 
Trouble  Report  as  a  deficiency. 


V 


FILE  IMPT  ACT  CD  IN 


Figure  3-16  SUBNET:  PROCESS_XMA_ENTRY  (NET  AlOOO) 

We  can  illustrate  one  level  lower  by  reviewing  the  definition  of 
SUBNET:  PR0CESSJ<MA_A.  This  SUBNET  which  is  shown  in  Figure  3-17,  pro¬ 
vides  the  first  look  at  processing  at  the  ALPHA  level.  In  this  process, 
the  first  node  (at  indicates  that  a  particular  instance  of  GLOBAL 
information  is  selected  from  the  ENTTTY_TYPE:  SUPPORT_UNIT_A_CARD  for  use 
in  the  processing  that  is  to  follow.  At  a  decision  is  made  as  to  what 
processing  should  occur  if  the  selected  instance  is  not  found  (this  is  an 
important  consideration  which  defines  a  possible  error  path  that  typically 
is  not  covered  in  most  software  specifications  ...  and  wasn't  in  the  MOM 
OFSR).  The  term  "(FOUND)"  is  the  name  of  a  DATA  item  that  is  of  TYPE 
BOOLEAN  and  which  has  a  VALUE  of  TRUE  or  FALSE  term.  At  this  Doint,  the 
"OTHERWISE"  indicates  the  branch  to  be  taken  if  the  VALUE  of  FOUND  is 


3-38 


ENTITY  nPE  © 

supporT_unit_a_caro 


-  1  SUCH  THAT 

Q  (uic_spt__crf-uic_s?t_:n) 


© 


(FOUND) 


© 


OTHERWISE 


© 


STORE- 
UIC  SPT  NR 

and^seiT  nr 


ENTITY  TYPE 
MANEUVfR  CUSTOMER 
a  CARD  “ 


Ws 

ER  (S) 


BETJNCORRECT_ 
WIC*SPT  EJWOR" 


3 


I 


SUCH  THAT 
l(«JIC_SPT  CRF 
■  UIC-SPT  IN)  AND 
(UlC  tUST  CRF  3- 
UlcICUST'lN)! 


ROCESS 
NSG 


I 


^04 


(^/^HECX  UIC  CUStN^ 
^  V^AaAfNST^REFj 

© 


,AIOOE 


STORE 
UIC -OUST 


© 


/Process- 

V  INTRA  SHOP  i 
^ODE^  -y 

A 


Figure  3-17  SUBNET:  PROCESS_XMA_A  (NET  AlOOl) 

FALSE.  In  this  case,  the  processing  (at  prepares  to  produce  an  output 
error  MESSAGE  (which  is  actually  produced  in  the  SUBNET:  SEND_PROCESS_ 
ERROR_MSG.  Process'''ng  is  then  terminated  on  this  branch  for  the  current 
stimulus. 

If  the  selected  ENTITY_CLASS  is  found,  the  UIC_SPT  and  SEO_NO  values 
found  in  the  input  MESSAGE  are  stored  (^^)  as  GLOBAL  DATA  in  a  new  in¬ 
stance  of  the  ENTITYJILASS:  WORK_ORDER_REGISTRATION_FILE_WORF.  There¬ 
fore,  the  ALPHA:  STOREJJIC_SPT_NR_ANO_SEO_NR  also  CREATES  this  new  instance 
of  the  ENTITY_CLASS.  Next,  (at  (F))  the  instance  of  tne  ENTITY_T''PE : 
MANEUVER_CUSTOMER_B_CARD  is  selected  which  possesses  the  same  UIC_SPT  and 
UIC_CUST  code  as  those  ■'n  the  input  MESSAGE.  In  this  case,  the  decision  as 
to  whether  or  not  the  information  was  found  was  accomplished  at  inside 


3-39 


the  SUBNET;  CHECK_UIC_AGAINST_XREF.  The  processing  in  this  SUBNET  (not 
shown)  indicates  that  if  the  information  is  not  found,  an  informative 
message  is  transmitted;  otherwise  none  is  transmitted.  In  either  case, 
UIC_CUST_IM  is  stored  as  UIC_CUST_WORF  in  the  same  instance  of  the 

ENTITY_CLASS:  W0RK_0R0ER-REGI STRATI 0N_FILE_W0RF  that  was  CREATED  in  the 
preceding  ALPHA. 

Following  this  step,  the  final  process  is  provided  by  SUBNET; 
PROCESS_INTRA_SHOP_CD,  which  assigns  the  appropriate  letter  value  for  DATA; 
INTRA_SHOP_CD.  With  the  completion  of  this  SUBNET,  processing  is  complete 
for  the  stimulus  that  intiated  processing.  Thus,  the  R_NET  unambiguously 
defines  all  the  possible  paths  of  processing  that  could  occur  as  a  result 
of  the  receipt  of  a  particular  input  MESSAGE,  in  this  case,  XMA  input 
information  where  FILE  INPT_ACT_CD_IN  had  a  value  of  A. 

3.5.4  Reason  for  Liberal  Use  Of  SUBNETS 

The  reader  may  be  wondering  about  the  considerable  use  of  SUBNETS  in 
the  definition  of  processing.  The  reason  for  this,  and  the  description  of 
the  two  basic  uses  of  SUBNETS  are  provided  in  the  next  two  paragraphs. 

Often,  similar  processing  is  reouired  in  several  different  R_NETs  or 
SUBNETS.  In  such  a  case,  a  SUBNET  is  defined.  The  SUBNET  processing  logic 
is  defined  just  once,  and  then  it  is  REFERRED  (used)  as  a  node  on  any 
structure  where  that  processing  is  needed. 

Its  second  use  is  for  conservation  of  space  in  defining  structures 
which  contain  considerable  processing  logic.  Such  nets  could  be  fully 
defined  to  the  lowest  level  of  detail  on  a  single  page,  but  if  they  were, 
the  resulting  net  would  be  very  complex  and  may  be  more  difficult  to  under¬ 
stand  than  the  more  summary  description  available  by  using  SUBNETS. 

Perhaps  of  more  importance,  there  is  an  adverse  CALCOMP  plot  impact  for 
large  nets  because  of  the  limit  of  CALCOMP-plot  paper  size.  Because  the 
entire  net  will  be  drawn  within  the  boundaries  of  the  available  paper  size, 
structures  with  large  quantities  of  nodes  will  be  drawn  with  the  nodes  so 
small  that  the  names  of  ALPHAs  and  SUBNETS  (which  are  also  included  on  the 
CALCOMP  plot)  will  be  unreadable.  Appropriate  use  of  SUBNETS  to  summarize 
portions  of  the  processing  logic  alleviates  this  CALCOMP  problem. 


3.5.5  Development  of  the  ALPHA  Description  Sheet 

Software  engineers  accomplish  a  parallel  activity  along  with  develop¬ 
ing  the  R_NETs,  and  that's  the  documentation  of  the  DATA  flow  through  the 
R_NET  on  a  worksheet  called  the  ALPHA  Description  Sheet.  Figure  3-18  shows 
this  worksheet  for  the  SUBNET:  PROCESS  XMA_A,  whose  processing  was  just 
described.  The  ALPHA  Description  Sheet  defines  DATA  and  FILE  information 
INPUT  TO  and  OUTPUT  FROM  each  ALPHA  on  the  R_NET  or  SUBNET  covered  by  the 
worksheet.  Consistent  use  of  DATA  names  are  used  in  accordance  with  their 
input  source  and  output  destination.  That  is,  if  the  source  of  a  DATA  item 
was  the  input  MESSAGE,  its  name  must  be  the  same  as  that  which  MAKES  that 
MESSAGE.  On  the  illustrated  worksheet,  the  three  different  described 
ALPHAS  are  the  same  ones  defined  on' SUBNET:  PROCESS_XMA_A  found  in  Figure 
3-17. 

The  DATA  transformations  can  be  observed  on  the  worksheet.  For 
example,  the  first  listed  ALPHA  inputs  two  DATA  items  and  outputs  three. 

The  order  in  which  the  DATA  is  listed  defines  the  intended  transformation. 
For  example,  the  value  for  the  input  DATA  item  UIC_SPT_IN  from  the  input 
MESSAGE,  having  the  SYNONYM  I2_01_Kr  (abbreviated  on  the  worksheet  as 
01J<2),  is  stored  in  the  two  DATA  items  UIC__SPT_W0N_W0RF  (a  portion  of  the 
work  order  number)  and  UIC_SPT_WORF.  Both  of  these  DATA  items  are  stored 
as  GLOBAL  information  in  the  ENTITY_CLASS:  WORK_ORDER_REGISTRATION_FILE_ 
WORF,  which  has  the  SYNONYM  F2_02_8P  (abbreviated  here  as  02). 

Because  no  entry  is  shown  in  the  column  "Value  or  Enumeration", 
whatever  value  is  INPUT  by  UIC_SPT_IN  will  now  reside  in  UIC_5PT_W0N_W0RF , 
and  in  UIC_SPT_WORF.  Note,  however,  that  in  the  second  ALPHA,  only  one 
DATA  item  (ERR0R_C0DE)  is  shown,  and  it  is  OUTPUT  by  the  ALPHA.  Since 
there  is  no  input  DATA  item  with  a  value  to  be  transferred,  it  is  necessary 
to  indicate  the  value  that  is  to  be  assigned  by  this  ALPHA  to  ERROR_CODE. 
This  value  is  WRONG_UIC_SPT  and  is  used  in  the  SUBNET:  SEND_PROCESS_ 
ERR0R_MSG  (which  follows  this  ALPHA  on  the  SUBNET  in  Figure  3-17)  where  a 
determination  is  made  as  to  what  error  text  will  be  output  to  the  operator . 
This  item  is  local  because  it  will  be  used  before  processing  in  this  SUBNET 
is  complete,  and  will  not  be  needed  thereafter. 

This  ALPHA  Description  Sheet  also  documents  fwo  uther  important 
considerations,  as  shown  at  the  right  side  of  the  worksheet  for  the  first 


ALPHA.  These  two  entries  indicate  that  the  ALPHA:  STOREJJIC  SPT  MR  AND 
SEQ_NR,  in  addition  to  the  input  and  output  of  DATA,  also  CREATES  a  new 
instance  of  the  ENTITYjCLASS;  WORK_ORDER_REGISTRATION_FILE_WORF  and  SETS 
the  new  instance  to  ENTITY_TYPE:  WORK-OROER-REGISTRATION_FILE_CURR  (the 
current  work  order  file). 

3.5.6  Entry  of  R  NETs  and  SUBNETS  Into  the  Requirements  Data  Base 
Upon  completion  of  the  manual  R_NET  development  and  the  ALPHA 
Description  sheets,  these  efforts  were  described  in  RSL  and  entered  into 
the  requirements  data  base.  The  two-dimensional  structures  were  defined  i 
a  one-dimensional  stream  of  RSL.  For  example,  the  SUBNET  illustrated  in 
Figure  3-17  was  defined  in  RSL,  as  shown  in  Figure  3-19.  This  effort  was 


LIST  P<^OC£SS^.nA_*. 

SuBNeT:  PBQCiSS^MA^A. 

STBUCTUHCi 

s£L£cr  ewriTY_TY!>e:  support.unitjk.cabo  sucw  that 

lUIC_3PT_CSP»UlC.SPTilN» 

IF  (FOUNO) 

alpha i 

STOfle,uic_spT_N«^NO_seaj^« 

select 

ewTiTY_rtpe;  HAN£uvea_cu3T0Hes_a  capo  such  that 

( ( JIC_SPT_CBF»u1C_SPT_IN»  anO 

(UIC_CUST.CRF^3»0IC.CU3T_IHI  ) 

SUSnET: 

c.-iEcK  jj  ic_cus  r  ^AfiA  I  ns  r_AHeF 

alpha: 

ST3Re_UIC_CUST 

suawer: 

pPocess_iNTHA  jSHOP_cooe 

PETUHN 

QTHEH^ISc 

al’ma ; 

3£  r _lNCORReCT_J IC,SP  r_£RPOR 

3u  JnE  T : 

ScNO_?HOC£3S_EPROH_-«Se 

rePMiNAre 

ENO 

IWO. 

Figure  3-19  RSL  Listing  of  the  Structure  for  SUBNET;  PR0CESS_XMA_A 

followed  by  an  RSL  definition  of  the  information  on  the  ALPHA  Description 
Sheet,  and  the  entry  of  this  information  into  the  reouirements  data  base. 
The  result  of  these  RSL  entries  for  the  three  ALPHAS  in  the  SUBNET  in 
Figure  3-17  is  displayed  in  Figure  3-20.  Note  that  two  of  the  ALPHAS  are 
used  (REFERRED)  on  other  SUBNETS  beside  PROCESS  XMA  A.  This  illustrates 


CSaOx  CO>'«4NO= 

LIST  X'<4_A_ALpiA5- 

AcP>ia  :  S£T  _I  'tCQHSeCT  IC  .S?  r_£SflOH  . 
outputs: 

OATa:  eSHO-<_CUO£. 
aerea«£o  jt: 

SU8NtT:  P90C£SS_A«A_A 

SuasET:  PPOCesS_ANA_C. 

AcPnA:  STOfl£  JJtC.CUSr. 

INPUTS: 

QATa:  UIC_CUST_IN. 

OUTPUTS; 

QATA:  uIC_CUSTj<iONP. 

SEPEPPSO  dr: 

SuaNET:  C0'^T:nu£_XMA_C_3P0C£5S 

SUBNET:  PPOC£SS_XHA_a. 

AuP«a:  STOP£_UIC_SPT_,NP_ANO_SEa_NP. 

CPEATES: 

ENT  I  Tr  .CLASS  :  CNOS5.;<E"EP£nC£_-  I  _t . 

inputs; 

data;  3EQ_nO_In 
qata:  uIC.iPT.lN. 

OUTPUTS: 

OATa:  3£U_nO.«On_«OPF 

OATa:  uIC.5PT_«On_»ORF 

OATa:  uIC_SPT_aOHF . 

5e'’S:  .  .  „ 

EnTI  TY.rrPE:  nanEuvEP.CuSTOn*  n  J  _,Ar<0 . 
PEFEPPiO  3t: 

SUBNET:  PPJCc33_ANA.A. 


Figure  3-20  RSL  Definition  of  the  ALPHAs  in  SUBNET;  PROCESS  XMA  A 


the  fact  that  all  relationships  are  shown  whenever  an  element  in  the  data 
base  is  listed. 


3.5.7  R  NETS  as  Source  of  Trouble  Reports 

The  development  of  R  NETs  required  nearly  half  of  the  labor  apolied 
to  this  effort.  A  total  of  2  R_NETs  and  2^8  SUBNETS  were  defined  using  the 
technique  described  above.  Perhaos  it's  not  surprising,  then,  to  note  that 
nearly  all  of  the  discrepancies  identified  and  documented  as  Trouble 
Reports  were  discovered  in  this  phase  of  the  effort.  As  each  OLT  was 
evaluated,  it  was  translated  into  an  R_MET,  and  logical  errors  became  very 
apparent.  A  discussion  of  Trouble  Reports  resulting  from  R_NE'''  develoo- 
ment,  and  from  efforts  in  other  phases  of  the  contract  is  provided  in 
Section  4  of  this  report. 


3-44 


3.6  DEVELOPMENT  OF  TRACEABILITY 

In  a  system  such  as  the  Standard  Army  Maintenance  System  (SAMS)  where 
several  levels  of  requirements  and  design  soecifications  exist,  both  upward 
and  downward  traceability  should  exist.  This  allows  verification  of  per¬ 
formance  against  the  parent  requirements  and  allows  an  impact  analysis  to 
be  made  in  the  event  that  a  detailed  performance  requirement  cannot  be  met, 
or  a  change  in  the  system  requirement  occurs.  RSL  definitions  that  are 
related  to  traceability  are  provided  in  Table  3.8,  and  their  inter¬ 
relationships  are  shown  in  Figure  3-21. 


Table  3.8  RSL  Definitions  Used  in  the  Development  of  Traceability 


definition  of  E!.£.hENTS 

OR  I G I  ."W T I NG  JEQU I  SEMEN T 

A  AIGHER  LEVEL  OF  REQUIREMENTS  FROM  AHICH  .OWER 
LEVEL  REQUIREMENTS.  THOSE  THAT  ARE  EXPRESSED  IN 

RSL,  ARE  TRACEABLE. 

SOURCE 

SOURCE  OR  auxiliary  .MATERIAL  FOR  REQUIREMENTS. 

IT  IS  THE  ORIGINATING  POINT  FOR  DNE  DR  MORE 
ORIGINATING  REQUIREMENT.  THE  OOCUME,NTATION  OF 
TRAOE-OFF  studies,  or  the  3AC.<GR0UND  MATERIAL 

FOR  REQUIREMENTS  ELEMENTS. 

DECISION 

A  CHOICE  OF  INTERPRETATION  IdlAT  HAS  SEEN  .MADE 

TO  ESTABLISH  FUNCTIONAL  ANO/OR  PERFORMANCE 
REQUIREMENTS  BASED  ON  ONE  OR  .MORE  ORIGINATING 
REQUIREMENTS. 

;  DEFINITION  OF  REUTIONSHIPS 

DOCUMENTED  3Y 
(DOCUMENTS) 

IDENTIFIES  the  ORIGI.NATING  POINT  OR  PROVIDES 
AUXILIARY  INFORMATION  FOR  THE  ORIGINATING. 
REQUrRE.ME.NT. 

INCORPORATES 
(INCORPORATED  IN) 

INDICATES  A  HIERARCHICAL  RELATIONSHIP  SETHECN 

OR  I G INA r  :nG_RE0U  I  RE.MENT3 . 

TRACES  TO 
(TRACED  FROM) 

IDENTIFIES  THE  LOWER  LEVEL  REQUIREMENTS  '0  OR 
from  which  the  ORIGI.NATING  REQUIRE, ME.NT  OR  DECISION 
HAVE  SEEN  ALLOCATED  OR  DERIvED. 

The  SOURCE  of  the  ORIGIMATTMG_REOUIREMENTs  established  in  this  phase 
is  the  text  of  Chapter  A  of  the  OFSR.  We  will  use  an  exerot  from  that 
chapter  to  illustrate  how  the  ORIGINATING_REOUIREMENTs  are  developed. 

Refer  to  the  exerpt  from  Paragraph  A-10  in  Figure  3-22  for  the  following 
discussion.  In  reviewing  the  contents  of  this  text  to  find  elements  that 

3-45 


‘AUkUi-Olf 


DOCUMENTS 


SOURCE 


DOCUMENTED  BY 


CORIGINATING  REQUIREMENT 


INCORPORATES  INCORPORATED 

I  t  IN 


^ALMOSr^ 
ANY  RSL 
JLEMENT/ 


(OR  1 6 1  NAT  I NG_REQU 1  REMEN  1 


-  TRACES  TO  - 
■TRACED  FROM- 


Figure  3-21  Traceability  Interrelationships 


4-iQ.  WORK  ORDER  .■WtACEMENT  (REAL  TIME)  PROCESS  (r'GURE  3-6-3}.  'Yie 
Wort  Orter  'lanaganant  Procass  is  a  ••al-cime  jrocass  r.'ia*  ;r3y'ae$  :.’ia 
vaflicle  ^or  placing  an  itam  pY  sguipment  ^nto  ;.“ie  suooor;  -nantenarcj 
sftop;  Yor  processing  ana  contrj+ling  an  ;  tan  sY  aguip.Tep.t  t.nrougn  ■  nspgc- 
tion,  reoair,  ana  final  inspection;  ana  'or  -euirning  in  -tan  :Y  Mu’pinert 
to  tne  customer,  riiis  process  acceots  information  'ram  •..ne  '*3  intananca 
Request/Horic  Oroer  fom  by  iseying  c.'ianges  (n  *ont  staais  into  t.ne  ^',0 
as  Way  occur.  This  current  ireal-time)  oata  is  thus  ivailapie  -'or  :r» 
manager  to  secure  currant  status  of  toe  -oMt  arcers  in  tne  snoos  -'or 
pperitional  nanagement  purposes  anC  responding  to  tustpmer  ‘nou'r-'es. 

l-lOa.  Uhen  a  Customer  cetamines  toat  support  na;ntanance  ’s  -aou'-ec, 
a  'iaintenanca  Reouest,''>iory  Crcer,  3A  fom  iXXX  ['.2  30  -iPl  ’S  prepareo 
!  (reY  pars  -t-’,  Yig  3-5-ij  ind  presancao  -it.o  :.oe  aou'prenc  or  ■  ;am  :o  :e 
)  repaired  ta  toe  sucporr,  snoo.  The  customer  snoulc  antar  my  orevous'./ 
assigned  "OrV  Order  Mumoer,  as  *n  aUT.SRO  or  •■ou^cment  Pecil;  sc.oecu'es. 

A-lOb.  On  '■ecaipt  oY  a  ''amtananca  Peouest.-ory  Drcer  .nere’naftar 
reYerred  ta  is  'RorX  Order  ;«0)),  t.Oe  Shoo  SY-'-ce  Si  ary  -evjws  tne 
Oocument  ta  insure  toac  all  oata  ire  encared  mo  t.nat  tne  ;-ustcner  s 
valid,  if  a  *0  's  received  *rdm  a  lonval'O  customer,  tne  .0  nay  stt'’ 
be  icceotsd,  is  in  t.Oe  oasa  oY  a  tn3ns:anc;  ’cwever,  un'ess  m  snemarcy 
exists,  toe  custamer  is  directed  ta  ois  usual  support  unit. 

I  a-IQc.  The  Shoo  0f*ic3  Slery  jreoares  to  -ed'Sta-  •‘•e  .c-y  '-car  •"•.t 
1  :.ng  oata  tasa./  -'e  <evs  -'or  uCLJ.t.t: tr-.  ::t,r.?'-t 

I  '  .//  '«ngfi  :r^fTTc:3C  :y  :iT.i  eo.-r  ' 


Figure  3-22  Excerpt  for  Chapter  >1  of  the  DFSR  Showing 
ORIGINATING-REOUIREMENTs 


1 


define  a  process  to  be  implemented  by  the  data  processor,  only  a  general 
description  of  the  overall  Work  Order  Management  Process  is  found  prior  to 
subparagraph  4-lOc.  Therefore,  no  information  in  these  portions  of  para¬ 
graph  consititutes  an  ORIGINATING_REOUIREMENT. 

As  indicated  by  the  two  blocks  outlined  in  paragraph  4-lOc,  two 

ORIGINATING_REQUIREMENTs  were  found  in  this  subparagraph.  The  first  re¬ 
quires  the  DP  to  recognize  an  operator  request  to  initiate  the  WO  Registra¬ 
tion  process  XMA/XMB.  The  second  requirement  provides  that  the  OP  accept, 
and  presumably  store,  the  DATA  for  Work  Order  Registration.  The  following 
RSL  conmands  established  these  as  ORIGINATING_RE0LlIREMEMTs: 

ORIGINATINGJREQUIREMENT:  INITIATE_REAL_TIME_PROCESSING. 

DOCUMENTED  8Y  SOURCE:  PARA_4_10C. 

OR  I G I  NAT  I  NG__REQU  I REMENT :  PROMPT_OPR_E  NTR  Y . 

DOCUMENTED  BY  SOURCE:  PARA_4_10C. 

OR I GI NAT I NG_RE  QU I REMENT :  STORE_XMA_XMB  JW0_R  EG_E  NTR  Y . 

DOCUMENTED  BY  SOURCE;  PARA_4_10C. 

The  definition  of  processing  in  the  Decision  Logic  Tables  should 
address  these  ORIGINATING_RE0UIREMENTs  in  some  defined  process  or  pro¬ 
cesses.  Any  important  element  of  the  requirements  data  base  that  exist  be¬ 
cause  of  these  requirements  should  be  TRACED  FROM  them.  We  define  impor¬ 
tant  elements  as: 

•  SUBSYSTEM 

•  INPUT_INTERFAC£ 

•  OUTPUTJNTERFACE 

•  MESSAGE 

•  ENTITY_CLASS 

•  R_NET 

t  SUBNET. 

Thus,  when  the  requirements  data  base  is  complete,  each  of  the  above  ele¬ 
ment  types  should  be  TRACED  FROM  one  or  more  ORIGIMATING_REOUIREMENTs . 
Conversely,  every  ORIGINATING_REOUIREMENT  should  show  a  TRACES  TO  relation¬ 
ship  to  one  or  more  of  the  important  elements,  defined  above. 

If  the  TRACED  FROM  relationship  does  not  exist  for  an  imoortant 
element,  this  suggests  that  the  element  was  not  needed  since  no 

3-47 


ORIGINATIMG_REQUIREMENT  called  for  it.  And  if  an  ORIGINATING_REOUIREMEMT 
does  not  trace  to  any  important  element,  it  implies  that  the  software 
requirements  are  not  complete,  and  won't  be  complete  until  some  portion  of 
the  requirements  statement  is  prepared  to  satisfy  that  0RIG1NATING_ 
requirement.  Thus,  at  the  conclusion  of  the  creation  of  the  requirements 
data  base,  RADX  is  used  to  identify  either  of  these  cases  of  faulty  trace¬ 
ability  so  it  may  be  addressed  b}(  the  software  engineer. 

A  total  of  232  ORIGINATING_REOUIREMENTs  were  developed  from  Chapter 
A  of  the  MOM  DFSR.  Each  of  the  501  "important  elements"  were  traced  to 
these  ORIGINATING_REOUIREMENTs.  As  a  result  of  this  effort,  167  important 
elements  were  not  traceable  to  any  ORIGINATING_RE0UIREMENT.  Similarly,  47 
ORIGINATING_REOUIREMENTs  did  not  trace  to  any  data  base  element.  These  are 
the  results  of  the  first  pass  of  the  RADX  traceability  check.  Although  we 
lacked  available  computer  time  to  make  corrections,  our  assessment  indi¬ 
cates  that  most  of  the  untraced  elements  were  due  to  human  error  in  the 
data  base.  This  further  illustrates  the  fact  that  although  human  error  can 
occur  with  the  application  of  any  requirements  engineering  technique  (in¬ 
cluding  SREM),  the  RADX  capability  highlights  all  the  errors  so  that  they 
may  be  corrected.  Consequently,  these  errors  would  have  been  corrected  in 
due  course  in  a  normal  verification  effort. 

With  an  easy  RSL  extension  this  traceability  can  be  continued  to 
software  modules,  test  requirements,  test  cases,  etc.  Therefore,  the  data 
base  has  continuing  utility  for  support  of  configuration  management  during 
software  development  and  test,  and  even  after  the  system  is  fielded. 

The  perceptive  reader  will  have  already  recognized  one  additional 
valuable  benefit  of  establishing  strong  traceability  beyond  that  of  config¬ 
uration  management  support.  That  is  the  powerful  support  of  the  assessment 
of  changes  to  the  requirements  that  is  possible.  Suppose,  for  example,  a 
SOURCE  paragraph  was  to  be  deleted  as  a  requirement,  RADX  would  allow  the 
requirements  data  base  to  be  queried  to  produce  a  list  of  elements  that  are 
TRACED  from  the  ORIGINATING_REOUIREMENTs  DOCUMENTED  by  that  SOURCE 
paragraph . 

It  does  not  follow  that  all  such  elements  should  be  purged  from  the 
data  base.  Rather,  all  should  be  reviewed  with  an  eye  to  other  processes 
that  are  not  to  be  deleted.  Recognition  of  other  involvement  can  be  gained 
by  noting  the  various  relationships  of  the  elements  on  the  list.  If,  for 


3-48 


example,  an  ALPHA  on  an  R_NET,  which  is  to  be  deleted  because  of  the  re¬ 
quirements  deletion,  is  also  on  another  R_NET  which  is  not  to  be  deleted, 
it  must  be  retained.  If  it  was  found  only  on  (REFERRED  BY)  the  R_NET  to  be 
deleted  it  could  safely  be  deleted  from  the  data  base.  Additionally,  the 
DATA  and  FILE  information  INPUT  TO  or  OUTPUT  FROM  that  ALPHA  would  also  be 
examined  and,  if  not  used  for  any  other  purpose,  could  also  be  deleted. 
Thus,  SREM  provides  the  capability  of  removing  unneeded  processing  when  a 
change  occurs,  instead  of  leaving  it  in  place  due  to  the  fear  of  unexpected 
impact  on  other  processing. 


3-49 


3.7  EVALUATION  USING  RAOX 


The  Requirements  Analysis  and  Data  Extraction  (RADX)  function  built 
into  the  REVS  software  provides  a  means  to  accomplish  powerful  automated 
checks  for  the  completeness,  consistency  and  traceability  of  the  software 
requirements  entered  into  the  data  base  as  a  result  of  the  efforts  des¬ 
cribed  in  the  preceding  paragraphs.  This  is  a  unique  capability,  compared 
to  other  requirements  engineering  tools  and/or  methodologies. 

Because  much  of  the  results  of  our  effort,  including  the  example  of 
the  regeneration  of  the  MOM  DFSR  specification,  utilizes  the  RADX  capabi¬ 
lity,  it  is  appropriate  to  describe  rather  thoroughly  how  this  tool  is 
used.  This  will  assist  in  understanding  later  displays  of  information  from 
the  requirements  data  base  and  for  illustrating  the  power  of  RADX  in  its 
support  of  the  software  requirements  engineer. 

In  this  discussion,  we  will  first  define  the  basis  for  the  use  of 
RADX,  describe  how  RADX  is  used  to  create  sets  of  interest  from  the  infor¬ 
mation  in  the  requirements  data  base,  how  to  list  these  sets  for  inspec¬ 
tion,  and  how  to  produce  CALCOMP  plots  from  structures  in  the  data  base. 
With  this  understanding  of  how  RAOX  is  used,  we  will  describe  the  steps  we 
took  to  analyze  the  adequacy  of  the  requirements  data  base,  to  include 
examples  where  appropriate  for  understanding.  Finally,  we  will  summarize 
the  problems  found  using  RADX  that  were  reported  via  Trouble  Reports. 

3.7.1  The  Premise  of  RADX  Use 

Conceptually,  RADX  is  built  on  the  premise  that  if  the  preceding 
efforts  were  accomplished  in  accordance  with  the  prescribed  methodology, 
certain  properties  about  the  elements  and  their  relationships  should  be 
true,  if  the  effort  is  complete,  and  conversely,  certain  prooerties  should 
be  absent  if  it  isn't.  For  example,  every  MESSAGE  defined  in  the  data  base 
as  entering  the  DP  system  to  stimulate  some  prescribed  processing,  or  as 
being  produced  during  the  processing  as  a  message  to  be  transmitted  from 
the  OP  system  to  an  outside  SUBSYSTEM,  must  be  MADE  3Y  DATA  or  FILE  infor¬ 
mation.  Thus,  any  MESSAGE  that  is  not  MADE  BY  any  DATA  or  FILE  information 
is  a  requirements  data  base  error  that  must  be  corrected.  Once  this 
MESSAGE  is  identified  the  requirements  engineer  will  accomolish  one  of 
three  corrections,  namely:  1)  determine  the  DATA  and  FILE  information  and 
ascribe  it  to  the  MESSAGE  using  the  relationship:  MESSAGE  is  MADE  BY  DATA, 


3-50 


or  MADE  BY  FILE,  or  2)  determine  that  the  MESSAGE  is  really  not  reouired 
and  PURGE  it  from  the  data  base,  or  3)  determine  that  the  MESSAGE  name  is  a 
slight  variant  of  the  naming  of  another  MESSAGE  in  the  datd  base  and  is,  in 
fact,  meant  to  be  the  same  one-  In  this  latter  case,  the  improperly  named 
MESSAGE  is  MERGEd  into  the  correctly  named  MESSAGE  (thus  causing  the  rela¬ 
tionships  and  attributes  of  the  improperly  named  MESSAGE  to  now  be  ascribed 
to  the  correctly  named  one).  In  addition,  the  incorrec*  MESSAGE  name  is 
PURGEd  from  the  data  base. 

3.7.2  RADX  Approach 

The  approach  used  for  RADX  analysis  is  sets  analysis.  A  subset  of 
the  '‘nformation  in  the  requirements  .data  base  is  defined  and  a  RADX  cotrmand 
is  Input  to  create  that  subset.  This  may  be  a  pre-defined  set  such  as  any 
of  the  basic  elements  (e.g.,  ALL  (everything  in  the  data  base),  MESSAGE, 
R_NET,  SUBNET,  DATA,  etc.),  or  may  be  a  user-defined  subset. 

3. 7. 2.1  Definition  of  a  Set  by  Relationship  Qualification 

The  user  may  define  a  subset  through  the  combination  of  an  element 
and  some  relationship  or  attribute  ascribed  to  that  element.  If  a  subset 
of  MESSAGES  that  are  not  passed  by  an  INPUT_INTERFACE  is  desired,  the  RADX 
conmand  to  establish  that  set  is: 

SET  UNPASSED_MESSAGES  =  MESSAGE  THAT  IS  NOT  PASSED. 

In  the  example,  the  indicated  elements  are; 

•  SET  The  RADX  command  to  indicate  that  a 

new  set  from  the  requirements  data 
base  is  to  be  established. 

•  UNPASSEDjMESSAGES  An  arbitrary  set_identi fier  (name) 

given  to  the  new  set.  Any  name  may 
be  used  but  is  usually  worthwhile  to 
use  a  meaningful  name. 

•  =  The  definition  of  the  set  just  named 

will  now  be  defined. 

•  MESSAGE  A  predefined  subject  SET  which 

initiates  definition  of  the  SET; 

UMPASSED  MESSAGES. 


•  THAT 


A  legal  positive  connector  which 
will  link  some  relationshio  (in  this 
case)  or  attribute  concerning  the 
element:  MESSAGE  to  define  the  set. 

•  IS  An  optional  word  which  may  be  used 

with  this  positive  connector. 

•  NOT  A  legal  connector  that  makes  the 

foregoing  connector  a  negative 

connector. 

•  PASSED  A  legal  relationship  for  the  subject 

SET:  MESSAGE  in  this  set  definition. 

Thus,  this  SET  is  defined  as  all  MESSAGES  that  currently  reside  in  the 
requirements  data  base  that  are  not, defined  as  passing  across  any 
INPUTJNTERFACE  or  OUTPUTJNTERFACE.  Note  that  the  object  elements 
INPl)T_INTERFACE  and  OUTPUT_INTERFACE  did  not  have  to  be  named  to  create 
this  SET.  This  is  because  REVS  recognizes  that  the  relationship  PASSES  is 
legal  only  when  MESSAGE  is  the  subject  element  of  this  definition  and 
either  INPUTJNTERFACE  or  OUTPUTJNTERFACE  is  the  object  element.  Thus, 
when  only  the  relationship  PASSES  is  used  all  MESSAGES  are  included,  re¬ 
gardless  of  whether  they  are  PASSed  by  the  INPUTJNTERFACE  or  by  the 
OUTPUTJNTERFACE. 

Of  course  the  object  element  may  be  used  in  the  SET  definition  if 
appropriate  to  the  user's  intent  in  creating  the  SET.  For  example,  suppose 
it  was  desired  to  create  a  SET  of  just  the  input  MESSAGES.  In  that  case, 
the  RADX  comand  would  be; 

SET  INPUT_MESSAGES  =  MESSAGE  THAT  IS  PASSED  BY  INPUTJNTERFACE. 
This  conmand  would  create  the  desired  SET.  The  SET  would  not  include 
MESSAGES  PASSed  by  any  OUTPUTJNTERFACE,  nor  MESSAGES  not  PASSed  by  any 
interface. 

The  general  case,  then,  for  a  relationship  Qualification  is: 

SET  Setjdentifier  =  Ex7sting_subject_setjdenti fier 
Posi ti ve_connector  [or  Negati ve_connector] 

[MULTIPLE]  Relationship  name  [Relationship  ootional  wordl 
rObject_set  Jdenti  f  i  er] . 

The  bracketed  phrases  represent  optional  oortions  of  the  SET  definition. 

All  of  those  shown  except  "MULTIPLE"  have  been  explained.  The  term 


3-52 


"MULTIPLE"  is  used  when  more  than  one  instance  of  the  indicated  relation¬ 
ship  must  exist  for  an  item  to  be  part  of  the  defined  SET.  For  example, 
the  RADX  SET  command: 

SET  MESSAGES_P  ASSED_B  Y_M0R£_THAM_0NE_I  NTERFACE 
=  MESSAGE  THAT  IS  MULTIPLE  PASSED. 

would  create  a  SET  of  all  MESSAGES  that  are  passed  by  more  than  one  inter¬ 
face  (an  improper  condition). 

3. 7. 2. 2  Definition  of  SETs  by  Attribute  Qualification 

SETS  may  also  be  created  by  using  attribute  names,  or  by  using  actual 
attribute  values.  In  the  first  case,  suppose  it  was  desired  to  create  a 
SET  of  R_METs  that  did  not  have  the^attribute  DESCRIPTION.  The  RADX 
coiranand  would  be: 

SET  UNDESCRIBEDJETS  =  R_NET  WITHOUT  DESCRIPTION 
The  indicated  elements  in  this  example  are: 

•  SET  The  RADX  command  to  indicate  that  a 

new  set  from  the  requirements  data 
base  is  to  be  established. 

•  UNOESCRIBED__NETS  An  arbitrary  Set^i denti f i er  (name) 

“  given  to  the  new” set. 

•  »  The  set  just  named  will  now  be 

defined. 

•  R_NET  A  predefined  subject  SET  which 

initiates  definition  of  the  SET: 
UN0ESCRI3ED_NETS. 

•  WITHOUT  A  legal  negative  connector. 

•  DESCRIPTION  A  predefined  legal  attribute  for  the 

subject  SET:  RJiET. 

The  use  of  the  value  of  an  attribute  to  describe  a  SET  to  be  created 
can  best  be  illustrated  by  another  example.  Suppose  it  was  desired  to  know 
all  the  data  items  with  the  attribute:  UNITS  which  have  the  value 
MANHOURS.  The  appropriate  RADX  command  would  be: 

SET  OATAJ^ITH_UNITS_OF_MANHOURS  =  DATA  WITH  UNITS  =  MANHOURS. 

-OR- 

SET  DATA  WITH  UNITS  OF  MANHOURS  =  DATA  WITH  UNITS  MANHOURS. 


3-53 


When  the  Rel ationaljaperator  in  the  SET  definition  is  it  may  be  omit¬ 
ted,  since  that  is  the  default  value.  The  general  case  for  attribute  qual 
ification  is; 

SET  Set_identifier  =  Existing  subject_set  identifier 
Positi vejconnector  [or  Megati vejconnector] 

Attribute_name  [Relationaljaperator] 

[Attribute_val ue] . 

The  legal  relational  operators  are  outlined  in  Table  3.9. 

Table  3.9  RADX  Relational  Operators 


The  value  that  is  specified  for  Attribute_value  can  be  an  integer,  a 
real  number,  a  value  name,  or  a  text  string  that  is  not  longer  than  60 
characters.  The  relational  operators  =  and  <>  are  the  only  ones  that  are 
legal  if  the  value  is  specified  as  a  text  string  or  as  a  value  name  in  the 
set  definition. 

The  members  of  any  new  SET  are  those  members  of  the  existing  subject 
SET  that  satisfy  the  relationship  or  attribute  criterion  in  the  manner 
indicated  by  the  connector.  When  a  positive  connector  is  used,  the  members 
of  the  new  SET  those  in  the  existing  subject  SET  which  have  the  stated 
relationship  or  attribute  criterion.  If  a  negative  connector  is  used,  then 
the  members  of  the  new  SET  are  those  in  the  subject  SET  that  do  not  have 
the  stated  relationship  or  attribute  criterion.  A  variety  of  terms  are 
allowed  to  be  used  as  positive  and  negative  connectors  to  increase  the 
readability  of  RADX  statements.  The  list  of  legal  connectors  useable  in 
RADX  set  definition  are  shown  on  Table  3.10. 


Table  3.10  RADX  Positive  and  Negative  Connectors 


I 


00 


POSITIVE  CONNECTOR 


NEGATIVE  CONNECTORS 


WITH 
WHERE 
WHICH 
WHICH  IS 
IN 

FROM 

SUCH 

SUCH  THAT 
THAT 
THIS  IS 
BY 


POSITIVE  CONNECTOR  NO 
POSITIVE^CONNECTOR  NOT 
WITHOUT 


3. 7. 2. 3  Definition  of  a  Set  by  Enumeration  and  Combination 

Whereas  the  previous  examples  illustrated  SET  definition  in  terms  of 
a  single  existing  subject  SET,  RADX  also  provides  the  means  to  define  new 
SETs  via  use  of  more  than  one  existing  SET.  This  can  be  accomplished  by 
emuneration  or  by  combination  of  existing  SETs. 

In  the  enumeration  approach,  the  members  of  a  new  SET  can  be  defined 
as  those  contained  in  another  existing  SET  or  as  the  union  of  two  or  more 
existing  SE^c. 

The  statements  given  below  demonstrate  the  use  of  this  technioue  for 
defining  SETs. 

SET  A  =  ALPHA,  FILE,  INPUTJNTERFACE. 

SET  B  =  SET  A,  DATA. 

In  the  first  statement,  SET  A  will  contain  all  the  elements  in  the 
data  base  that  are  members  of  the  predefined  element  type  SETs  ALPHA,  FILE 
or  INPIIT_INTERFACE.  The  SET  B  will  contain  elements  that  are  members  of 
the  user  defined  SET  A  plus  the  predefined  element  DATA. 

Defining  Sets  by  Combination 

A  set  can  be  defined  as  the  logical  combination  of  two  existing 
independent  sets  by  a  statement  using  the  following  syntax: 


SET  Set_identifier  =  Existing_first_idenpen(1ent_set_identifier 
Combi nati on_operator  Exi sti ng_second_i  ndependent_set_ 
identifier 

The  combi nati onjpperators  are: 

•  AND  -  SET  intersection.  The  members  of  the  new  SET 

are  those  that  are  members  of  both  the  first 
independent  SET  and  the  second  independent  SET. 

•  OR  -  SET  union.  The  members  of  the  new  SET  are 

those  that  are  members  of  either  the  first 
independent  SET  or  the  second  independent  SET. 

•  MINUS  -  SET  difference.  The  members  of  the  new  SET  are 

those  that  are  members  of  the  first  independent 
SET,  but  not  the  second  Independent  SET. 

Examples  of  SET  definition  by  combination  using  these  operators 
follow: 

•  SET  ALPHA  DATA  =  ALPHA  OR  DATA.  This  combines  all 
ALPHAS  anH”  DATA  into  a  single  SET.  This  provides  the 
same  result  as  the  following  SET  definition  by 
enumeration: 

SET  ALPHAJIATA  *  ALPHA,  DATA 

•  SET  NETS  IN_X  =  R  NET  and  X.  Here,  X  is  a  user-defined 
SET  whicF  may  incTude  several  different  predefined  or 
user-defined  SETs.  If  it  includes  R_NETs,  these  R_NETs 
will  now  exist  as  the  SET;  NETS  IN  X.  If  there  are  no 
R_NETs  in  SET  X,  NETS_IN_X  will  5e  an  empty  set. 

•  SET_ALL_EXCEPT__OECISION  =  ALL  MINUS  DECISION.  This 
removes  the  predefined  SET:  DECISION  from  the  total 
existing  requirements  data  base.  The  set  of  remaining 
elements  are  now  defined  as  the  SET:  ALL  EXCEPT 
DECISION. 


3. 7. 2. 4  Defining  SETs  By  Structure  Qualification 

Implicit  relationships  between  structures  and  elements  used  in 
structures  may  be  used  for  defining  a  new  SET  of  elements  that  have,  or  do 
not  have,  certain  structural  characteristics.  These  implicit  relationships 
are  named  REFERS  and  REFERRED.  They  cannot  be  explicitly  input  through  the 
RSL  tranlator  but  they  are  implicitly  defined  when  a  structure  is  entered 
into  the  requirements  data  base. 

The  REFERS  relationship  exists  between  an  element  with  a  structure 
and  the  elements  used  on  the  strucutre.  The  REFERRED  relationship  is  the 


complement  of  the  REFERS  reTationship.  These  implicit  r-el ationships  are 
used  in  the  same  manner  as  RSL  relationships  are  used  to  define  a  new  SET 
by  relationship  qualification.  The  following  examples  illustrate  different 
uses  of  this  statement. 

SET  RJETJIOJTRUCTURE  =  RJET  WITHOUT  REFERS. 

SET  R_NET_USING_UPDATE_STATE  =  RJIET  WHICH  REFERS  TO 
UPOATEJTATE. 

SET  ALPHASJIOTJSED  =  ALPHA  THAT  IS  NOT  REFERRED. 

SET  ALL_NEEDED_BY_R_NET_RADAR_SUNWARY  =  ALL  THAT  IS  REFERRED 
TO  BY  RADAR_SUMMARY. 

3. 7. 2. 5  Defining  Sets  by  Hierarchy 

■  I.  ^|  I  I .  I  ■  I .  ■  t 

There  are  several  hierarchies  that  exist  in  the  definition  of  RSL 
such  as  data  hierarchies  and  structure  hierarchies  that  can  be  identified 
for  use  as  a  "road  map"  to  trace  through  the  requirements  data  base  for  the 
purpose  of  defining  a  SET  or  determining  the  order  in  which  to  extract  and 
display  information.  A  RADX  HIERARCHY  can  be  defined  as  follows: 

HIERACHY  [OR  HIER]  New_hierarchy_name  = 

(Existi  ng__subject__set_identi  fier  Rel  ationship_name 
[Relationship_optional_word] 

Exi  sti  ng_ob  j  ect__set_i  denti  fier)” 

The  symbol  (  indicates  that  the  type  of  relational  statements  between 
the  parentheses  {)  may  be  repeated  any  number  of  times.  In  the  above 
definition,  New_hierarchy_name  is  a  unique  name  that  will  be  used  to 
reference  the  HIERARCHY.  The  set_i denti fiers  designate  SETs  that  must  be 
defined  before  the  HIERARCHY  is  defined,  and  Relationship_name  is  any  RSL 
relationship  or  an  implicit  relation  (REFERS  or  REFERRED). 

For  example.  Figure  3-23,  illustrates  an  RSL  information  hierarchy 
that  exists  in  the  requirements  data  base.  The  nodes  in  the  graoh  reore- 
sent  SETs  (in  this  case  predefined  element  type  SETs)  and  the  branches 


3-57 


Figure  3-23  Hierarchy  for  INPUT  INTERFACE 


represent  binding  relationships  between  the  SETs.  This  HIERARCHY  can  be 
named,  say  INF0_S0URCE,  and  input  under  RADX  for  use  by  defining  the  con¬ 
nectivity  of  the  graph  as  follows: 

HIER  INFOJNTERFACE  =  INPUTJNTERFACE  PASSES  MESSAGE; 

MESSAGE  MADE  BY  FILE; 

MESSAGE  MADE  BY  DATA; 

FILE  CONTAINS  DATA; 

DATA  INCLUDES  DATA. 

It  may  then  be  LISTed.  Examples  of  LISTed  HIERARCHIES  can  be  found  in 
Figures  3-2,  3-3,  and  others  provided  earlier. 

It  often  is  appropriate  to  create  a  SET  of  all  elements  ‘raversed  v^a 
the  HIERARCHY.  If  it  was  desired  to  create  a  SET  called  lNFr)_SOURCE  for 
all  the  elements  in  the  HIERARCHY;  INFO_INTERFACE,  it  would  be 
accomplished  as  follows: 


3-58 


3. 7.2.6  Listing  RADX  Sets 

Any  predefined  or  user-defined  set  created  under  RADX  procedures  can 
be  listed  by  the  simple  command: 

LIST  Set_i denti f i er 
For  example,  the  command: 

LIST  ALL  or  LIST  ANY 

will  cause  all  elements  defined  in  the  requirements  data  base  to  be  listed. 
The  coninand: 

LIST  DATA 

will  cause  only  the  DATA  in  the  requirements  data  base  to  be  listed.  The 
command  to 

LIST  X 

(where  X  is  a  user-defined  set)  will  cause  the  user-defined  set  to  be 
printed.  In  addition,  if  it  were  desired,  the  output  could  be  punched 
cards,  rather  than  a  printout,  by  substituting  the  command:  PUNCH  for 
LIST. 

3. 7. 2. 7  Controlling  the  Listing  Format 

When  RADX  is  initially  activated,  all  elements  in  a  RADX  listing  will 
include  all  information  (relationships,  attributes,  structures)  known  about 
each.  The  amount  of  information  to  be  listed  can  be  controlled  by  using 
the  RADX  comnand  called  APPEND. 

The  APPEND  command  is  used  to  specify  the  associated  attributes, 
relationships,  and  structures  that  should  be  displayed  along  with  the 
display  of  an  element.  The  syntax  of  the  statement  is: 

APPEND  El ement_type_i denti fier  (Append_item)^. 

The  )J  indicates  that  their  may  be  a  multiple  list  of  Aopend_i terns  for  a 
particular  El ement_type_i denti fier.  When  this  is  true,  the  information  is 
printed  in  the  order  in  which  the  Append  item  is  listed. 

In  the  above  statement,  Element_type  identifier  is  an  RSL  element 
type  name,  such  as  MESSAGE,  DATA,  etc.,  or  the  keyword  ANY  or  ALL,  and 
indicates  the  element  type  or  element  types  to  which  the  Aooend  i*em 
applies.  When  ALL  or  ANY  is  specified,  the  Aooend  item  is  aooiied  *o  all 
element  types  in  the  requirements  data  base.  A  list  of  legal  ADDend_i terns 
and  the  information  that  each  causes  to  be  appended  to  an  El ement_type_ 
identifier  is  shown  in  Table  3.11. 


3-59 


■’’able  3.11  Aooend  Item  List 


^elat:on_sawe 

A  =4R’::l'lai5  rsl  =e_a7::nshp. 

;'rmi3urE_\AMe 

A  RSL 

REFERS 

iLEMENTS  “rtAT  APPEAR  ON  "HE  STRUCrjHE  CF  'HE  SUBJECT 

ELEMEN’- 

REFERRE2 

ELEMENTS  .I-A  S'RUIT'.REE  '■-iAI  JSE  "HE  SUBJECT  ELEMENT. 

ALL 

1 

all  ai-r!3u"es  :n  aljha8£*::al  iroer.  =ol-:ued  by  all 

PflI.MARY  REJA'IJNSHtPS  N  Al.^mABETICAL  IRCE.R.  ^OLlOUED 
by  refers.  -CL-ChEO  A..JmA8E":CALl  '  BY  AL..  IPMPLE.MENTASY 
REi-ATIONSHIPS,  =CL-jW£C  3v  RE^ESREP.  AnO  -INALl^  "HE 

ELEMENT  S'RlC"jRE  :R  ’aTh. 

WNE 

NO  AsscciATEP  :mformat:on. 

STRUCTURE 

R_NET.  SUBNET.  OR  /al.pat;on_aath  structure. 

ATTRIBUTE 

all  AT-RISUTES  :.N  A..?hA8£"ILAL  order. 

RELATION  1 

RELATIONSHIP  J 

ALL  PRIMARY  RELATIONSHIPS  IN  AL.phA8ET!0AL  ORDER  'OL-OWEO 

BY  ALL  CCMPLEMENTARy  RELATIONSHIPS  ;N  ALRwABETTCAL  ORDER, 

PRIMARY 

AL..  primary  RElATIONSoIPS  I.N  AL.R'-ASE'I CAl  ORDER. 

complimentary 

ALL  COMPLEMENTARY  RELATIONSHIPS  IN  ALPHABETICAL  ORDER. 

0.7. 2. 8  Displaying  Structures  « 

The  command:  PLOT  provides  a  means  for  attaining  a  CALCOMP  plot  for 
any  structure  which  has  been  entered  into  the  data  base.  The  gene-al  form 
of  the  command  is: 

PLOT  Exi sti ng_structure_el ement  Plot  size. 

The  term  Exi sti ng_structure_el ement  means  R_MET,  SUBNET,  or  VALIDATION 
PATH.  The  term  Plot_size  refers  to  the  desired  size  of  the  reouested  olot. 
This  is  written  as: 

WIDTH  =  Width_value,  HEIGHT  =  Height  value. 

The  Width_value  and  Height_value  are  stated  in  inches  and  as  a  real  or 
integer  number  up  to  50  and  29,  respectively.  The  default  values  '  i  i"  no 
values  are  provided)  are  8  and  10,  respectively. 

Figure  3-17,  shown  earlier,  illustrated  a  hand  drawn  SUBME”  whose 
structure  was  translated  into  SSL  and  placed  in  the  '•eoui rements  data  base. 
Figures  3-2A  and  3-25  provide  its  CALCOMP  equivalent  from  the  data  base. 
Note  that  the  resulting  plot  is  actually  two  pages  of  output.  The  plot  of 
the  SUBNET  is  shown  Figure  3-2A.  The  title  of  the  SUBNET  is  shown  at  the 


3-61 


f’S0C£3S_<nfl 
STRUCTURE  '.EGENQ 

COmiTlONUL  EXPRESSIONS  SNO/OR  COMMENTS 


1 

2 

3 

4 


iuic_spt_:rf=uic_spt_jni 
t  POUNO ) 

qtherhise 

C tUIC_SPr_CRP=UIC_5PT_INI  AND 

tuic_£:usr_cRF_3=uicj:usT_'Ni ) 


NOOe  ORDINAL 
ID  value 


Figure  3-25  Conditional  Expressions  for  the  CALCOMP  Plot  for  SUBNET: 
PROCESS  XMA  A 


3-52 


top  of  the  plot.  The  plot  looks  similar  to  its  hand-drawn  eouivalent  in 
Figure  3-17,  except  that  the  conditional  expressions  found  on  the  branches 
of  the  hand-drawn  SUBNET  are  replaced  by  numbers  on  the  CALC3MP  version. 

The  second  sheet  of  the  CALCOMP  plot  (Figure  3-25)  defines  the  conditional 
expressions  represented  by  these  numbers  and  also  provides  any  comments 
that  may  have  been  entered  for  the  structure.  This  two-page  approach  was 
selected  due  to  its  ease  of  implementation  during  development,  and  has  not 
been  subsequently  improved.  This  feature,  and  certain  other  awkward  as¬ 
pects  of  the  current  CALCOMP  plot  capability  represent  one  of  the  REVS 
areas  that  deserves  improvement,  such  as  the  inability  to  be  read  when 
there  is  a  large  number  of  nodes  on  the  structure. 

3. 7. 2. 9  Combined  Static  RADX  Tests 

In  order  to  reduce  the  load  on  the  software  engineer,  and  to  assure 
a  complete  RADX  check  is  made  of  the  requirements  data  base,  a  set  of  ^ 

standard  RADX  commands  has  been  derived  for  all  appropriate  RADX  tests. 

These  have  been  organized  in  groups  related  to  specific  phases  of  the 
methodology  and  stored  as  ADOFILEs  far  access  after  each  phase  is  complete. 

Such  tests  exist  for  Phases  1,  2,  3,  4,  and  6.  Phases  5  and  7  are  simu¬ 
lation  phases,  and  no  static  RADX  tests  are  used  in  these  phases.  When 
used,  any  LISTed  SETs  indicate  failure  of  the  software  engineer  to  consis¬ 
tently,  completely,  and  unambiguously  describe  the  software  requirement  in 
accordance  with  the  SREM  procedures.  Attention  should  be  given  to  the 
items  listed  to  correct  the  indicated  problems.  A  comment  is  provided  for 
each  LIST  command  to  describe  what  error  the  members  of  the  SET  possess,  or 
to  describe  the  intent  of  the  RADX  test  whose  result  is  being  listed.  A 
listing  of  the  kinds  of  tests  performed  for  each  phase  of  SREM  are  provided 
in  Tables  3-12  through  3-16  for  Phases  1,  2,  3,  4,  and  6,  respectively. 

Several  of  the  combined  RADX  tests  appropriate  for  the  MOM  DFSR 
effort  were  administered  to  the  requirements  data  base.  The  results  of 
these  tests  are  provided  in  Appendix  C.  Normally,  each  of  the  indicated 
problems  would  be  corrected,  and  many  of  the  answers  needed  for  this 
correction  would  come  from  the  user.  However,  under  this  contract,  there 
is  no  user,  and  therefore,  no  correction  of  the  data  base  has  been 
attempted. 

3-63 

-  -  . . J 


Table  3.12  SREM  Phase  1  RADX  Checks 


!  £»T1TV_CIJ»SS 


1  ♦  ■iOT  OJtATED 

j  •  NOT  DeSTSOYtO 

j  «  WITHOUT  £HTtTY_rTM 

eHTITY.TYM 


•  NOT  StT 

•  NOT  IN  U<  EJ«TtTf_ajllS 

•  IN  none  THAN  3Ne  «NTITr_CtJISS 

Ng»a>6t 

«  ouTNor  nessAGSs  not  ^oRneii 


Table  3.13  SREM  Phase  2  RADX  Checks 


WNQVIQgi  MN  VISUAI,  3<gC)C  . 

«  £NTTTY_:UISS  HIEWdCHIES 
«  FNEE  STANOINO  EII.E3 

•  EREE  STANOINQ  3ATA 

•  INPVT.INTEREACE  NIEFARCHIES 

•  OUTPUT, interface  HIERARCHIES 
PR08IJH  REPORTS 

E  OPEN  PROaUHS 

•  NOT  traces  from  aRISINATINS.REOUIReMENT  OR  ANOTHER  DECISION 

«  NOT  traces  to  IT  ■•tu.  .’FIFACT 

8U8STSTENS 

«  UNCONNECTCS 

interfaces 

•  UNCONNECTES 

•  CONNECTSS  TO  WORE  THAN  ONE  SUBSTSTEJI 
»  PASSES  NO  NESSAOES 

(  AN  INPUT- INTERFACE  OOESN'T  ENA8UE  R-NET 


<  WITHOUT  DATA  OR  FILES 

•  NOT  PASSES  JT  AH  INTERFACE 

P  PASSES  ST  NOPE  than  one  INTERFACE 

R.NETS 

•  not  enables  ST  AN  INPUT_iNTERFACS  OR  EVENT 
A  mult  I. ENABLES 

•  ENABWS  ET  INPUT.iNTERFACE  NOT  ON  STRUCTURE 
EVENTS 

A  ooesn't  ENASCE  an  r.net 
A  OEbATEB  3T  OATA  NOT  AT  LOWEST  LEVEL 
A  OELATES  3r  MORE  than  one  OATA  ITEM 

STRUCTURES 

I  A  AN  ALPHA,  SUBNET,  EVENT,  /ALIOATION.pOINT,  [  .'IPUT, : NTERFACE,  OR 
I  JUTP'rr_iNTERFACE  OOES  NOT  iP»EAR  ON  A  STRUCTURE 

[  A  .OGiC  NOT  3EVEL0PE3  =OR  OEr'NED  STRUCTURE 

i  ENTITIES 

1  A  ENTirv,:LAS3  OR  ONE  OF  ITS  ENT:T'.-v»E3)  -'EVER  SELECTED  ON  A 

[  STRUCTURE 

A  ENTITT_rTFE  OOES  NOT  CONTAIN  ANT  OATA  OR  ^'LES 


rfro-ipwv 


Table  3.14  SREM  Phase  3  RAOX  Checks 


FILE  ORDERING 

•  MULT  I .ORDERED  FILES 

•  FILE  ORDERING  DATA  NOT  IN  A  FILE 

•  NQN.LOWEST  LEVEL  ORDERING  DATA 

FILE  CONSTRUCTION 
«  EMPTY .FILES 
DATA 

•  NEITHER  A  SINK  NOR  A  SOURCE 

•  SOURCE.  BUT  MO  SINK 

•  SINK  BUT  NO  SOURCE 

•  MISSING  RANGES  FOR  ENUMERATED  DATA 

•  RANGE  FOR  TYPES  OTHER  THAN  ENUMERATION 

•  NO  TYPE 

•  USE  INFORMATION  (NEEDED  FOR  SIMULATIONS) 

•  DATA  IN  MORE  THAN  ONE  FILE 

•  DATA  IN  MORE  THAN  ONE  £NTITY_CLASS 

•  DATA  IN  BOTH  AN  ENT ITY.CLASS  AND  ENTITY.TYPE 

•  DATA  IN  BOTH  AN  ENTITY  AND  IN  A  FILE 

«  DATA  IN  BOTH  AN  ENTITY  AND  IN  A  MESSAGE 

•  DATA  IN  BOTH  A  MES.SAGE’ AND  A  FILE 

•  LOCAL  DATA  IN  ENTITIES 

•  GLOBAL  DATA  IN  MESSAGES 

•  LOCAL  DATA  IN  A  GLOBAL  FILE 

•  GLOBAL  DATA  IN  A  LOCAL  FILE 


Table  3.15  SREM  Phase  4  RADX  Checks 


traceability 

•  ORIGINATING .REQUIREMENTS  THAT  DON'T  TRACE  TO  OTHER  ELEMENTS 

•  DECISIONS  THAT  DON't  TRACE  TO  OTHER  ELEMENTS 
t  SOURCES  THAT  XEREN't  USED 

AUTHORSHIP 

•  UNAUTHORED  data  base  ELEMENTS 
DESCRIPTIONS 

•  UNDESCRIBED  NETS 


3-65 


msmmm/lilllitalliim 


Table  3.16  SREM  Phase  6  RADX  Checks 


I  VALIDATION  POINTS 

•  NOT  PLACED  ON  A  NET 

•  PLACED  ON  MORE  THAN  ONE  NET 

•  doesn't  record  any  DATA  OR  FILES  FOR  TEST 
PERFORMANCE  _  REQU 1 REMENTS 

•  HAS  NO  TEST  WRITTEN  FOR  IT 

•  HAS  NO  VALIDATION  PATH  FOR  IT 

•  NOT  TRACED  FI  Q«  AN  ORIGINATING .REQUIREMENT^  A  DECISION,  OR  A  SOURCE 
VALIDATION  PATHS 

•  NOT  CONSTRAINED  BY  A  PERFQRHANCE.REQU I REMENT 
PROVIDES  FOR  VISUAL  CHECK 

•  PERFORMANCE.REQU I REMENTS  WITHOUT  CONSTRAINS  TO  CHECK  AGAINST 
VAL I  DAT  I  ON .PATHS  NOT  CONSTRAINED 

•  UNCONSTRAINED  VALIDATION  PATHS  TO  SEE  IF  A  PERFORMANCE.REQU I REMENT 
SHOULD  BE  WRITTEN  TO  CONSTRAIN  IT 

•  SHOWS  HOW  MANY  PERFORMANCE.REQUIREMENTS  EACH  VALIDATION.PATH 
IS  CONSTRAINED  BY 

•  SHOWS  HOW  MANY  VALIDATION  PATHS  ARE  CONSTRAINED  BY  EACH 
PERFORMANCE  REQUIREMENT. 


3.7.2.10  Data  Flow  Analysis 

The  final  static  RADX  test  of  the  data  base  is  the  data-flow 
analysis.  This  is  accomplished  by  the  command; 

ANALYZE  DATA_FL0W  Structure_set_identifier, 
where  Structure_set_identi fier  is  a  class  of  structures  (such  as  R_MET1, 
is  the  name  assigned  for  the  particular  R_MET  or  SUBNET  whose  analysis  '>s 
desired. 

The  basic  data-flow  tests  of  interest  are; 

•  Loop  detection;  Identifies  any  loops  that  may  have  been 
inadvertently  introduced  due  to  fauHy  SUBNET 
referencing  or  a  recursive  DATA  definition  via  the 
INCLUDES  relationship. 

•  LOCALITY  Attribute  Test;  Checks  the  LOCALITY  attribute 
for  DATA  and  FILES  used  or  produced  in  the  R_NET  to 
determine  whether  LOCAL  or  GLOBAL.  It  then  assures  that 
appropriate  use  is  made  in  accordance  with  the  assigned 


3-66 


LOCALITY.  For  example,  only  LOCAL  DATA  and  FILES  may  be 
in  a  MESSAGE  and  only  GLOBAL  DATA  and  FILES  may  be 
ASSOCIATED  with  an  ENTITY_CLASS  or  ENTITY_TYPE. 

•  Membership  Test:  Identifies  inadvertent  inclusion  of  a 
DATA  item  in  more  than  one  repetitive  data  set  (ENTITY 
CLASS,  ENTITYJYPE,  or  FILE). 

•  Conditional  Branching  Tests:  Checks  for  ambiguous  or 
incomplete  statement  of  branching  condition. 

•  Net  Structure  Test:  Checks  for  SUBNETS  that  are 
REFERRED,  but  which  do  not  have  processing  logic 
defined,  and  for  incorrect  structure  logic  caused  by 
improper  rejoins  after  OR  or  AND  node  branching. 

e  Information  Assignment/Usage  Tests:  Checks  for 
information  used  without  a  source,  and  information 
assigned  (produced)  that  is  not  used. 

•  Ambiguous  Flow  Test:  Checks  to  see  if  the  change  in  the 
sequence  of  processing  of  paths  initiated  by  an  AND  node 
could  cause  the  source  of  information  for  any  following 
R__NET  node  to  change. 

After  listing  the  flow  of  DATA  within  the  R_NET,  the  MESSAGES  input  to  the 
R_NET  and  produced  by  it  (with  the  FILE  and  DATA  that  MAKES  them),  any 
errors  detected  by  the  tests  described  above  are  listed.  The  locations  of 
errors  in  the  R_NET  are  pin-pointed  by  a  list  of  walk  back  information 
which  shows  the  preceding  nodes  in  the  order  traversed  from  each  error  node 
back  to  the  top  of  the  R_NET.  An  example  of  a  data  flow  analysis  for  the 

XMA  Real-Time  Process  will  be  found  in  Appendix  C. 


3-67 


3.8  ANALYSIS  OF  THE  SREM  APPLICATION  EFFORT 


During  the  period  of  performance  two  requirements  engineers  worked 
full  time  on  this  effort,  two  others  worked  part  time,  and  supervision 
added  an  equivalent  effort  of  just  over  one-half  a  person.  Over  the  ap¬ 
proximately  6-1/2  months  of  technical  activity  this  was  the  equivalent  of 
just  under  2-2/4  requirements  engineers.  The  SREM  engineering  effort 
applied  to  evaluation  o^  the  MOM  OFSR  totals  2660  man-hours.  Engineering 
man-hours  were  allocated  to  16  identifiable  tasks  as  shown  in  Table  3.17. 
Since  the  R_NET  is  the  focal  point  of  SREM  activity,  much  time  was  spent  on 
it  for  the  MOM  OFSR.  It  has,  historically,  been  one  of  the  most  time 
consuming  activities.  A  total  of  1152  man-hours  have  been  applied  to  date 
to  defining  R_NETs.  That  is  43.1  percent  of  the  total  engineering  time 
applied  in  this  effort. 


Table  3.17  SREM  Task/Time  Allocation 


Naurs  ApoHea 

*.  OF  TOTAL  :N0URS  APPLIED 

SPECIflCATtON  RESEAROI 

.23 

.31 

RECORD  PROBLEMS 

.I4a 

S.5S 

OEFTNE  SUBSYSTEMS 

20 

.32 

DEFINE  INTERFACES 

26 

.91 

34 

2.05 

DEFINE  MESSAGE  CONTENTS 

196 

7.4t 

define  r  nets 

1152 

43.12 

ENTin  CUSS 

11 

1.52 

-wrrrrrm - 

0 

.22 

ENTITY  DATA  DETAIL 

5 

.22 

ESTABLISH  TRACEABILIT' 

149 

5.72 

STATIC  RAOX 

166 

5.3S 

138 

REOUIREMENTS  AE'SENERATICN 

142 

5.32 

SREM  E;AL'JATI0N 

25 

.32 

REVIEH  i  DOOROINATION 

172 

FINAL  REPORT 

148 

5.7* 

As  stated  earlier  in  this  report,  R  NETs  are  developed  to  describe 
the  stimulus/response  relationship  required  of  software  to  process  each  of 
the  input  messages.  Because  of  the  unique  view  of  orocessinq  provided  by 
this  technique,  most  of  the  specific  problems  ’n  the  software  specification 
were  found  during  the  process  of  defining  R  NETs.  "^hose  oroblems  were 
documented  by  Trouble  Reports,  the  time  for  which  is  reported  under  Record 


f 


Problems.  A  total  of  146  man-hours,  or  5.5  percent  of  the  effort,  was 
applied  to  this  task. 

Prior  to  the  definition  of  R_NETs,  some  preliminary  tasks  had  to 
occur.  These  tasks  included  Specification  Research,  Definition  of 
SUBSYSTEMS,  Definition  of  Interfaces,  GLOBAL  DATA  Definition  (£NTITY_ 
CLASSES,  ENTITYJYPEs,  and  ASSOCIATED  DATA  detailing).  A  total  of  122 
man-hours  were  applied  to  these  tasks,  or  4.5  percent  of  total  man-hours 
applied.  Another  preliminary  effort  included  defining  MESSAGES,  MESSAGE 
contents,  and  establishing  traceability.  In  all  the  preliminary  efforts, 
translation  and  entry  of  the  defined  elements  and  their  relationships  into 
the  requirements  data  base  was  accomplished  concurrently,  and  is  included 
in  the  totals.  These  tasks  required  399  man-hours,  or  15  percent  of  total 
man-hours  applied.  RADX  testing,  data  base  correction,  and  the  regenera¬ 
tion  of  requirements  utilized  496  man-hours,  or  18.7  percent  of  the  total. 
The  man-hours  applied  to  administrative  type  tasks,  such  as  SREM 
Evaluation,  Review  and  Coordination,  and  Final  Report  preparation  totalled 
345  or  13  percent  of  total  man-hours  applied. 

Our  past  experience  indicates  that  the  best  estimating  relationship 
for  determining  the  amount  of  effort  needed  for  a  SREM  application  is  based 
on  the  number  of  input  MESSAGES  and  EVENTS  that  stimulate  the  R_NETs  that 
must  be  defined.  In  this  effort,  there  have  been  62  input  MESSAGES  and  no 
EVENTS.  A  total  2660  man-hours  have  been  applied  to  the  effort,  thus 
averaging  42.9  man-hours  per  stimulus.  Previous  experience  indicates  that 
approximately  40  man-hours  per  stimulus  is  typical,  which  is  comparable 
with  the  MOM  DFSR  effort. 

The  average  is,  however,  somewhat  understated  because  of  certain 
peculiarities  we  experienced,  although  they  probably  are  typical  of  infor¬ 
mation  systems  of  this  type.  Some  of  the  characteristics  of  the  software 
specification  that  differ  in  this  application  compared  to  most  of  our  pre¬ 
vious  applications  are; 

t  Larger  set  of  input  and  output  MESSAGES, 

•  Larger  GLOBAL  data  base  as  reflected  in  the  number  of 
ENTITYJlLASSes  defined. 

•  Logical  strings  of  ooerator/data  processor  interactions 
(e.g.,  promot,  operator  response,  error  message  and 
reprompt,  operator  response,  next  promot,  etc.l. 


3-69 


•  Considerable  introduction  ot  design  into  the  require¬ 
ment,  particularly  the  heavy  use  of  pre-sorting. 

SREM  was  designed  to  develop  and  express  the  logical  functional  and 
performance  requirement,  and  not  to  express  actual  implementation.  To  the 
extent  that  such  implementations  are  introduced,  SREM  application  efforts 
increase.  Because  of  implementation  in  the  MOM  DFSR,  and  the  other  prob¬ 
lems,  discussed  earlier,  approximately  half  of  our  effort  was  at  a  level  of 
sunmary  higher  than  normal.  Although  this  probably  resulted  in  finding 
fewer  deficiencies  in  those  areas  where  the  approach  was  used,  it  did  allow 
us  to  complete  the  requirements  data  base  so  that  important  RADX  tests 
could  be  made.  We  estimate  that,  had  the  engineering  assessment  been 
totally  applied  at  the  normal  level  of  effort,  the  application  time  pro¬ 
bably  would  have  increased  about  25  percent  per  input  MESSAGE. 

If  we  had  not  taken  the  generic  approach  to  the  real-time  input  of 
information,  rather  than  treating  each  of  the  approximately  570  data  items 
that  could  be  entered  as  separate  MESSAGES,  application  time  to  define  this 
processing  would  have  been  significantly  larger.  We  believe  the  impact  of 
processing  every  data  item  as  a  separate  MESSAGE,  as  a  literal  interpreta¬ 
tion  of  this  specification  would  have  increased  the  application  effort  by 
about  300  hours.  This  would  amount  to  slightly  more  than  double  the  over¬ 
all  effort;  under  this  contract,  about  36  man-months. 

For  specification  the  size  of  the  MOM  OFSR  three  man-years  of  effort 
seems  reasonable,  when  compared  to  the  advantages  that  will  result  from 
having  a  complete,  consistent,  and  unambiguous  specification  from  which  to 
re-accompl ish  software  design.  We  believe  that  much  more  than  this  amount 
of  effort  and  cost  would  be  saved  over  the  remaining  life  cycle  of  the 
development  of  this  software  package.  An  even  more  positive  savings  would 
have  resulted  if  the  software  specification  had  been  originally  developed 
with  SREM.  For  more  discussions  of  software  development  costs  and  the 
impact  of  SREM  in  reducing  them,  see  Section  5. 


4.0  RESULTS  OF  SREM  APPLICATION 


In  preceding  sections  we  have  described  the  basic  components  of  SREM, 
illustrated  how  we  defined  pertinent  information  to  create  the  requirements 
data  base  for  the  MOM  DFSR,  and  described  how  we  evaluated  the  data  base 
using  the  automated  RADX  capability.  During  those  activities,  identified 
deficiencies  in  the  specification  were  documented  in  Trouble  Reports  and 
entered  into  the  data  base.  The  purpose  of  this  section  is  to  describe  the 
results  of  this  effort  which  (for  a  verification  effort  of  this  type) 
primarily  are  the  documented  deficiencies.  An  added  effort,  described 
herein,  is  the  description  of  the  regeneration  of  the  requirements  from  the 
REVS  data  base. 


4-1 


4.1  DESCRIPTION  OF  TROUBLE  REPORTS 

The  attainment  of  good  software  requirements  is  not  easy.  Even 
though  the  desirable  characteristics  of  a  good  specification  are  well 
understood,  capturing  those  qualities  in  the  production  of  software  speci¬ 
fications  has  proved  elusive.  The  major  qualities  that  are  sought  were 
described  in  Paragraph  2.2.  The  development  of  SREM  had  the  goal  of 
attaining  these  qualities,  when  used  to  develop  the  original  software 
requirements.  It  has  also  proven  its  capability  to  identify  the  Tack  of 
these  qualities  within  existing  software  specifications  in  its  verification 
role. 

Recognized  deficiencies  in  the  MOM  DFSR  were  documented  using  a 
Trouble  Report  form  as  a  worksheet,  for  eventual  entry  into  the  data  base. 
Normally,  these  Trouble  Reports  would  have  been  submitted  to  the  organiza¬ 
tion  which  had  developed  the  specification  to  attain  thei"”  response  con¬ 
cerning  corrective  action.  In  this  effort,  no  such  organization  existed 
and,  therefore,  the  MOM  DFSR  has  not  been  totally  corrected.  Rather,  the 
deficiencies  have  simply  been  recorded  to  evidence  the  results  of  the 
verification  effort. 

4.1.1  Trouble  Report  Format 

The  Trouble  Report  form  (Figure  4-1)  is  an  AIRMICS  version  of  a 
standard  form  that  was  designed  for  the  interaction  between  the  developer 
and  verifier.  Problems  found  by  the  verifier  are  described  as  completely 
as  possible  in  the  "PROBLEM"  block  so  as  to  assure  understanding  by  the 
developer.  If  any  alternatives  appear  appropriate  for  solving  the  PROBLEM, 
they  are  included  in  the  "ALTERNATIVES"  block  by  the  verifier.  The 
remainder  of  the  header  blocks  are  also  completed  by  the  verifier  and  the 
Trouble  Report  is  forwarded  to  the  developer.  His  choice  of  alternatives 
or  other  solution  is  reported  back  to  the  verifier,  usually  using  the 
"CHOICE"  block  for  his  reply.  Since  we  had  no  deve^ooer  responses,  we 
filled  in  the  "CHOICE"  block  on  each  Trouble  Report,  wherein  we  suggested 
the  action  needed  to  correct  the  stated  PROBLEM. 

In  order  to  develoo  statistics  on  the  kinds  of  deficiencies  being 
identified,  a  "CATEGORY  OF  PROBLEM"  block  was  provided  for  five  specific 
categories,  plus  an  "OTHER"  category.  The  definitions  we  aoplied  in  deter¬ 
mining  these  deficiency  categories  are  as  follows: 


TROUBLE  REPORT  NR 

DATE  PREPARED 

DATE  CLOSED 

SOURCE 

OF 

TROUBLE 

REPORT 

□  □ 

1  TM  38-L71-2:  OFSR  SAMS  1  (MOM)  PAGE  NR  _ 

TM  3a-L72-2:  OFSR  SAMS  2  (MPQM)  PAGE  NR. _ 

TABLE  .NP 

PARAGRAPH  .NR 

FIGURE  NR 

DECISION: 


TRACES  TO; 


ITRACED  FROM; 


CATEGORY 
OF  PROBLEM 

O  AW  I  GOODS 
O  MISSING 
O  INCONSISTENT 

O  incomplete 

O  ILLOGICAL 
O  OTHER; 


o 

ae 

& 


PROBLEM; 


s  s 

o  — 

«  s 

Ik  o 

2  C 

5  5 

irt  a 

< 


ALTERNATIVES; 


CHOICE; 


TROUBLE  REPORT  PREP ARED  3Y 


date  entered  :.n  oata  jase 


QpROVIOED  for  INFORM.ATION  ONLY 

C]  RESPONSE  REOUESTEO 

— 

§3; 

<« 

AIRMICS  RESPONSE  3Y 

iCATE  OF  RESPONSE 

Figure  4-1  AIRMICS  Trouble  Report  Form 


4-3 


t  AMBIGUOUS:  Processing  reauirements  ^'■om  flowcharts, 
decision  logic  tab!  s,  and  processing  subparagraphs 
present  unclear  intentions  due  to  vague  descr-’' oti ons  of 
logic  paths,  unclear  naming  or  use  of  data,  or  descrip¬ 
tions  that  defied  determination  of  the  true  intent  of 
described  processing. 

•  MISSING:  Data  that  is  defined  as  being  used  or  produced 
during  processing,  but  is  missing  from  Annex  C  of  the 
DFSR,  as  well  as  steps  or  tables  referred  to  in  the 
OLTs,  but  which  were  actually  missing.  Certain  RADX- 
discovered  problems  also  fall  in  this  category. 

•  INCONSISTENT;  Data  names  that  are  different  for  identi¬ 
cal  data  items,  same  data  name  used  for  different  data 
items,  and  different  data  having  the  same  (and  there¬ 
fore,  ambiguous)  names.  Also  included  are  processing 
steps  that  are  inconsistent  between  DLTs, 

•  INCOMPLETE:  Processing  requirements  from  DLTs  that  omit 
processing  logic  and/or  other  required  information. 

Certain  RADX  discovered  problems  also  fall  in  this 
category. 

•  ILLOGICAL:  Processing  requirements  from  DLTs  that 
present  processing  steps  in  an  illogical  order,  such 
that  the  intended  processing  cannot  be  attained. 

4.1.2  Entry  of  Trouble  Reports  into  the  Requirements  Data  Base 

When  completed,  the  Trouble  Report  information  was  translated  from 
the  forms  into  RSL  and  entered  into  the  requirements  data  base.  This  was 
accomplished  by  using  the  basic  RSL  element:  DECISION.  DECISION  has 
predefined  attributes  and  relationships  that  match  major  portions  of  the 
Trouble  Report.  These  include: 

•  Relationships: 

-  TRACES  TO  (any  RSL  Element) 

-  TRACED  FROM  ORIGINATINGJEOUIREMENT 

•  Attributes:  i 

-  PROBLEM 

-  ALTERNATIVE 

-  CHOICE 

-  TPOUBLE  REPORT  PREPARED  BY  ('ailed  ENTERED_3''  in 
RSL) . 


Because  RSL  is  easily  extensible,  other  items  on  the  Trouble  Report 
were  created  as  new  RSL  elements  with  new  relationships  to  DECISION,  or  as 
new  attributes  for  DECISION.  These  included  the  following  items; 

•  Relationships: 

-  SHOWNJDN  REF_L0CATI0N  (Page  Number) 

-  IDENTIFIED_BY  TROUBLE_REPT_NR 

•  Attributes: 

-  DATE_PREPARED 

-  CATEG0RY_0F_PR0BLEM  (AMBIGUOUS,  MISSING,  ETC.) 

-  DATE_CLOSED . 

The  extension  of  the  RSL  to  allow  the  above  changes  to  translate  suc¬ 
cessfully  for  acceptance  and  storage  is  accomplished  quite  easily.  The 
necessary  RSL  commands  to  accomplish  this  extension  are  shown  in  Figure 
4-2. 


£l.irCNr_rYO£ :  TS3U8L£_^e.'»T_Nfl  (•  •). 

ffeLXTiow;  roewn-ics  ”•  »>. 
COHPUire.NTAaY  ^e‘.»UON:  tOCNr  IF  I  £D_9  T  . 
sueoecT  £L£weNr_rYp£:  TR0u8L£_ae?T_MR. 
object  £L£HeNT_TYPe:  oecisiow, 

ATTRIBUTE:  CAT£30RY_OF_?R09U£M  (•  •). 
AOPUlCAdLt:  OiCISION. 
valJE:  A«gI3U3U3. 

VALUE;  vtssiNS. 
valjE;  inconsistent, 
value :  incomplete, 
value:  illogical. 

VALUE:  other. 

ATTRIBUTE:  Oa rE_5R£RAPeo  (*  •!. 
APPLlCAaL£;  OECISION. 

VALUE;  TEXT. 

attribute:  oate_:losed  C  •>. 

APPLICABLE:  OECISION, 

VALUE:  'EXT. 

£L£MENr_rTPE :  RE-__0CaTI3N  ( *•  • i . 
RELATION  SHOWS  (•  •) . 

Complementary  relation;  3hown_on. 
SUBJECT  hE,-_lOCA  TION. 

OaoECT  OECISION. 


•S3 

*■5 


Figure  4-2  RSL  extensions  to  Support  'rouble  Report  entries 


4.1.3  RAOX  Support  of  Management  Review  of  TroiibTe  Report 

RADX  was  used  throughout  this  project  to  assure  completeness  of  the 
Trouble  Reports  in  the  data  base.  The  kinds  of  checks  made  by  RADX  includ¬ 
ed  the  following; 

•  Missing  TR  numbers. 

•  Missing  PROBLEM  statements, 

•  Missing  page  number  source, 

•  Missing  traceability  to  ORIGINATING_REOUIREMENTs. 

•  Missing  CATEGORY_OF_PROBLEM. 

•  Missing  CHOICE. 

The  RADX  commands  necessary  to  automatically  check  through  the  large  number 
of  Trouble  Reports  for  the  kind  of  problems  outlined  above  is  shown  in 
Figure  4-3,  and  is  in  the  same  order  as  the  above  list.  Wherever  the  SET 
COUNT  is  zero,  there  are  no  problems  of  that  type.  If  the  SET  COUNT  is 
greater  than  zero,  a  command  to  LIST  the  SET  will  provide  the  names  of  the 
DECISIONS  which  are  deficient  in  the  way  defined  in  the  SET  so  that  the 
missing  information  can  be  provided.  ' 

A  critical  management  function  is  control.  The  manager  needs  tools 
that  he  can  easily  use  to  control  the  progress  of  his  project.  Proper 
utilization  of  the  RAOX  function,  such  as  shown  here,  helps  the  manager 
identify  the  problems  he  is  interested  in  so  that  he  may  give  them  the 
proper  attention. 


4-6 


AMXSl-Oia 


r  o  A  0  ^7  0  4*» « 5 

sk't  z  n-ci^rnN  rfirnoor  ioe»<np leo.t^Y 


SFT  ''niMF  s  <1 
fOADv  rriMMANHs 

^P-T  Mo'faon.^iPM  3  oen^IO^  wITriOUT  PPOhlFH. 

SP’T  rivjwr  =  n 

fOAOv  ‘*rt>4MAA|t'>3 

sfT  *  ^-^Iiwrf  =  TFCI^^inM  wITrtOuT  OOrjMFMffO  -^Y* 

CfT  2  1 

roAf^v  rnwMAAios 

sfT  *T3ArFn Vo-^H  =  ner.isio'4  w1Tho»*t  tpaCFD  f^om. 

<;FT  rf\\hiX  = 

f  ;3  Ah  V  Wt*«  A  *><o  5 

^PT  •,n' r /I  T‘ r,r,„t  ;  n^rrsiOKi  without  Ca  rpr.o^Y  rv' .»ftOHL£«. 

«*»'T  »Mf  s  <1 

f  ^rtOv  '“AwvirtNOa 

err  '.n'r-.oirF  =  '^eci^^rON  wirnOiiT  cnoirF. 

<c-r  s  fi 


Figure  4-3  RADX  Checks  for  Incomplete  Trouble  Reports 


4.2  EVALUATION  OF  DISCREPANCIES 


The  size  and  scope  of  MOM  DFSR,  along  with  its  related  annexes, 
suggest  a  significant  effort  was  originally  involved  in  its  development.  A 
strong  hierarchy  of  traceability  is  communicated  throughout  the  DFSR  and  a 
thorough  discussion  of  not  only  what  processing  was  required  to  be  accomp¬ 
lished,  but  also  how  that  processing  fit  into  the  overall  concept  of  opera¬ 
tions  was  provided.  In  addition,  attempts  were  clearly  made  to  assure 
consistency  in  data  naming  among  the  various  documents  that  compose  the 
DFSR.  In  addition,  we  found  that  the  Decision  Logic  Tables  (DLTs)  used  on 
the  DFSR  were  an  excellent  approach  toward  clearly  defining  the  processing 
required. 

4.2.1  DLT  Considerations 

As  with  all  other  efforts  of  this  size,  human  frailty  intrudes  to  a 
maximum  degree.  We  observed,  for  example,  different  levels  of  quality 
(read  detail)  among  the  DLTs  such  that  we  could  almost  group  them  by 
author.  The  very  fact  that  the  DLTs  provide  considerable  detail  increased 
the  opportunity  for  more  errors  to  occur.  Because  there  probably  were  no 
automated  tools  to  assist  in  the  developer's  verification  of  the  complete¬ 
ness  and  correctness  of  the  DLTs,  the  original  review  and  verification  was 
by  other  humans  with  the  same  set  of  frailties  as  the  DLT  authors. 

One  of  the  difficulties  often  found  in  the  DLTs  was  the  ambiguity 
in  the  description  of  the  processing  step.  For  example; 

Table  319,  Sequence  Mo.  4  (Figure  4-4)  states;  "Add  MH_EXP_TEN  to 
WORF.  ADJUST  MH_RMN".  This  statement  follows  a  prompt  for,  and  entry  of, 
MH_EXP_TEN  from  Sequence  3  of  Table  316  (not  shown).  Sequence  4  of  Table 
319,  also  follows  other  actions  (Sequences  2  and  3)  that  reouire  data  to  be 
overlayed  on  the  TPR.  The  Data  element  MH_RMN  is  contained  in  both  the 
WORF  and  the  TPR  files.  The  first  part  of  Sequence  4,  table  319,  is  speci¬ 
fic;  "ADD  MH_EXP_TEN  TO  WORF".  The  second  part  of  seouence  4  ("ADJUST 
MH_RMN")  is  ambiguous,  however,  and  the  designer  is  not  sure  if  "ADJUST 
MH  RMN"  refers  to  the  WORF  only,  TPR  only,  or  to  both  files. 


4-8 


atHfr,./-  vv 


i 


...j 


e<!0-itxNr 


4.. 2.2  R  NET  Contribution  to  Identification  of  DLT  Deficiencies 

R  NET  definition  requires  consideration  of  the  availability  of  data 
as  it  flows  through  its  processing  steps  and  provides  strong  clues  for 
identifying  needed  processing  paths  at  nodes  where  branching  decisions  are 
made,  particularly  error  paths  that  could  arise  due  to  the  situation  at 
these  nodes.  This  R_NET  characteristic  was  a  major  factor  in  recognizing 
the  logic  errors  and  omissions  found  in  the  DLTs. 

The  R_NET  definition  step  is  intolerant  of  ambiguity.  In  order  to 
complete  an  R_NET,  all  aspects  of  the  data  flow  in  the  process  must  be 
known.  As  a  result,  several  questions  are  always  under  consideration,  such 
as; 

•  What  GLOBAL  DATA  is  needed? 

•  What  LOCAL  DATA  is  available  from  the  MESSAGE  which 

stimulated  traversal  of  the  R  NET  from  outputs  of 
preceding  processing  steps  (ATTPHAs),  or  from  the  initial 
values  of  LOCAL  DATA  which  are  set  each  time  the  R_NET 
is  used?  “ 

•  What  branching  is  appropriate,  what  DATA  will  be  used 
for  branching  decisions,  and  what  DATA  values  will 
determine  which  branch  shall  be  traversed? 

f  What  DATA  is  needed  to  FORM  output  MESSAGES  that  are  to 
be  transmitted  as  a  result  of  R_NET  processing,  what  is 
the  source  of  the  DATA  needed  for  the  transformations 
necessary  to  MAKE  the  needed  output  MESSAGE,  and  what 
processing  steps  (ALPHAS)  are  necessary  to  accomplish 
the  necessary  transformations? 

All  ambiguous  descriptions  have  to  be  directly  addressed  so  that  when 
the  software  engineer  could  not  understand  the  intent  as  described,  or  when 
needed  information  to  complete  the  R_NET  was  missing,  the  problem  quickly 
became  apparent.  Thus,  the  R  NET  development  was  the  major  contributor  in 
the  recognition  of  illogical  processing,  missing  processing,  and  ambiguous 
descriptions  of  processing. 

A. 2. 2  Special  SREM  Procedures  to  Assure  Unambiguous  DATA  Naming 

One  of  the  most  pervasive  problems  common  to  all  software  soecifi ca¬ 
tions  is  the  difficulty  in  being  specific  about  a  named  DATA  item.  The 
normal  approach,  which  was  also  common  in  the  MOM  DFSR,  is  to  try  to  use 
exactly  the  same  name  throughout.  On  the  surface,  this  seems  approoriate 


4-10 


but,  in  reality,  that  item  can  actually  be  seve*'al  different  data  it?ms 
during  a  process.  Initially  it  may  be  in  the  input  stream  and  be  stored 
for  later  use,  possibly  in  more  than  one  GLOBAL  file.  Later  it  may  be 
accessed  and  placed  in  still  other  GLOBAL  files,  or  used  for  transmission 
in  the  output  stream.  These  may  be  simply  described  as  the  transfer  of  the 
value  resident  from  data  of  one  type  to  another  type.  However,  in  des¬ 
cribing  the  processing  logic  it  is  difficult  to  e<press  the  form  of  the 
data  item  being  described  without  the  use  of  considerable  modifying 
i nformation. 

TaRt;  for  example,  the  DATA  item  UIC_CUST  (Unit  Identification  Code 
Customer).  On  DLT  4,  the  item  is  used  several  times,  and  is  referred  to  in 
several  forms  as  follows: 

Sequence  No.  Reference  to  UIC_CUST 

1,2,3  XMA  UIC_CUST 

1  UICJIUST  ON  X_REF  FILE 

4  UIC_CUST  ON  WORF 

Clearly,  three  different  UIC_CUST  DATA  items  are  involved  here.  The 
writers  of  the  MOM  DFSR  took  pains  to  indicate  which  data  item  was  intend¬ 
ed,  but  at  times  the  meaning  of  the  descriptive  modifiers  was  found  to  be 

ambiguous.  So,  even  though  the  name:  UIC_CUST  will  be  found  in  Annex  A 

and  Annex  B  as  a  data  item  in  input  and  output  descriptions,  and  in  multi¬ 
ple  GLOBAL  files  of  Annex  D,  it  really  is  a  different  data  item  in  each  of 
those  contexts.  As  we  have  seen,  this  is  reflected  by  the  need  to  use 
modifiers  in  the  DLTs  to  indicate  which  UIC_CUST  was  being  described. 

The  way  this  problem  is  handled  within  RSL  on  this  effort  was  to  use 
the  basic  name  (UIC_CUST)  and  append  a  descriptive  suffix.  For  example,  if 
UICjCUST  MAKES  an  input  MESSAGE,  we  used  the  name  UIC  CUST  IN.  Conversely, 
if  it  MAKES  an  output  MESSAGE  it  was  given  the  name  UIC  CUST  OUT.  In  its 
GLOBAL  form,  ASSOCIATED  WITH  an  EMTITYJCLASS  or  ENTITY_TyPE,  it  was  g’ven 

an  appropriate  suffix  for  that  ENTITY.  Some  examples,  showing  the  '■e'lated 
ENTIT'^  are: 

•  UIC_CiJST_CRF_3 

(CROSS_REFERENCE_FILE) 
t  UIC_CUST_XMX_DABS 

(CROSS  REFERENCE  TRANSACTIONS  XMX  3  DABS) 


4-11 


•  UIC_CUST_XME_A_DABS 

(EQUIPMENT_RECALL_NEW_ITEM_XME_A_DABS) 

•  UICj:UST_EORR 

(E0UIPMENT_RECALL_REO) 

•  UIC_CUST_MPR 

(MAINTENANCE_PROGRAM_RE0UIREMENTS) 

•  UIC_CUST_UED 

(USAGE_EXCEPTION_LIST_OATA_BASE) 

•  UIC_CUST_WORF 

(WORK_ORDER_REGISTRATION_FILE) 

By  using  this  approach,  we  have  unambiguously  named  all  the  forms  that  each 
basic  data  item  can  take.  As  a  result,  RADX  can  apply  its  various  tests  to 
each  one  of  these  DATA  items  and  a  more  precise  determination  of  consis¬ 
tency  will  result. 

A. 2. A  Identification  of  Consistency  Problems  via  RSI  and  RADX 

The  major  contribution  of  RSL  is  the  discovery  cf  consistency  orob- 
lems.  For  example,  RSL  requires  that  every  element  in  the  data  base  pos¬ 
sess  a  unique  name.  Thus,  if  there  is  an  attempt  to  name  a  MESSAGE  with 
the  name  previously  given  to  (say)  a  DATA  item,  a  translation  error  cede 
will  be  provided  when  an  attempt  is  made  to  enter  the  MESSAGE  into  the  data 
base.  This  prevents  inadvertent  duplicate  naming  of  dif'^erent  elements. 

The  duplication  naming  problem  just  described  's  most  useful  when 
SREM  is  being  utilized  to  create  the  software  reoui cements  from  a  system 
level  reauirement.  Consistency  problems  in  verification  efforts  are  more 
often  discovered  during  the  RADX  evaluation.  But,  in  order  to  use  RADX  to 
discover  these  problems,  a  particular  approach  during  R  MET  develooment  is 
required  during  the  verification  effort. 

The  approach  used  for  verifying  the  MOM  DFSR  to  preoar?  for  RADX  was 
to  record  the  exact  name  of  the  DATA  item,  as  given  in  the  DLT,  even  if 
known  to  be  wrong,  and  to  use  it  as  described  ‘^or  the  processino,  such  as 
for  branching  decisions,  or  for  ALPHA  IMP'JTS  or  OU'P'JTS,  or  to  '^AKE  an 
output  '-'ESSAGE.  Part  of  the  RADX  tests  check  DATA  consistency  by  estab¬ 
lishing  the  SET  of  DA~A  that  ’s  produced  by  the  DP  system  (source  DA^A',  and 
a  SET  of  DATA  that  is  used  by  it  (s’nk  DATAl  and  then  comoaring  ‘he  two 
SETs  for  mismatches.  DATA  is  consi'^ered  to  be  source  DA'A  when  it: 


A-12 


•  MAKES  an  input  MESSAGE. 

•  Is  OUTPUT  FROM  an  ALPHA. 


•  Is  LOCAL  but  has  an  INITIALJ/ALUE. 

•  Is  CONTAINED  in  a  FILE  which; 

-  MAKES  an  input  MESSAGE. 

-  Is  OUTPUT  FROM  an  ALPHA. 

Data  is  considered  to  be  sink  DATA  when  it: 

•  MAKES  an  output  MESSAGE. 

•  Is  INPUT  TO  an  ALPHA. 

•  Is  used  (REFERRED)  by  the  R_NET  for  branching  decisions. 

•  Is  RECORDED  BY  a  VALIDATION_POINT. 

•  DELAYS  an  EVENT  on  the  R_NET. 

•  ORDERS  a  FILE  (establishes  a  desired  order  of  DATA 

instances) . 

•  Is  CONTAINED  IN  A  FILE  which; 

-  Makes  an  output  MESSAGE. 

-  Is  INPUT  TO  an  ALPHA. 

-  Is  RECORDED  3Y  a  VALIOATION_POINT. 

DATA  that  are  oroduced  (source  DATA)  should  also  be  used  (sink 
DATA)  and,  conversely,  all  that  are  used  should  be  produced.  A  porf’on  of 
RADX  is  designed  to  make  that  check.  DATA  may  be  found  via  RADX  that  has 
neither  sink  nor  source.  When  this  occurs,  it  is  DATA  which  has  been  named 
but  never  given  a  relationship  with  any  other  element  such  that  it  ccuid 
qualify  as  either  sink  or  source  DATA.  DATA  which  has  a  source  but  not  a 
sink,  or  a  sink  without  a  source,  usually  results  from  not  being  consis¬ 
tently  named  in  the  specification  being  verified. 

If  a  mismatch  between  source  and  sink  DATA  occurs,  it  does  not  auto¬ 
matically  follow  that  the  mismatch  is  the  result  of  inconsistent  OA'A 
naming.  It  is  also  possible  that  some  other  problem  may  exist.  Some 
examples ; 


•  An  output  MESSAGE  was  FORMED  BY  an  ALPHA  using  DATA 
produced  by  the  ALPHA,  but  the  MESSAGE  was  not  actually 
defined  separately  as  being  MADE  the  DATA  in 
Question. 

•  An  input  MESSAGE  was  defined  and  the  DATA  that  MAKES  the 
MESSAGE  indicated.  Inadvertently,  that  MESSAGE  was 
never  defined  as  being  FORMED  BY  an  ALPHA  on  an  R_MET. 

•  An  EVENT  was  defined  as  being  DELAYED  BY  a  DATA  item 
(which  actually  is  a  predefined  constant  indicating  the 
length  of  the  delay),  but  the  DATA  item  was  not  given  an 
INITIALJALUE. 

Thus,  it  can  be  seen  that  when  there  is  a  mismatch  of  source  and  sink  DATA, 
the  software  engineer  has  to  investigate  the  reason. 

4.2.5  Identification  of  Consistency  Problems  by  Observation 

When  the  approach  given  above  is  used,  inconsistent  DATA  becomes 
imbedded  in  the  data  base.  For  a  normal  verification  effort  this  is  ac¬ 
ceptable,  and  the  inconsistency  is  removed  only  when  the  developer  actually 
corrects  the  inconsistent  name  in  his  specification.  In  our  efforts  under 
this  contract,  however,  we  were  required  to  demonstrate  the  REVS  tools  and 
their  use  for  Data  -"low  analysis  and  regeneration  of  the  requirements. 

With  imbedded  problems,  neither  of  these  demonstrations  can  be  properly 
accompl i shed .  Therefore,  only  a  few  inconsistencies  were  allowed  in  the 
data  base  to  illustrate  the  RAOX  capabilities  to  discover  them.  For  the 
most  oart,  however,  inconsistencies  recognized  by  the  software  engineers 
during  this  effort  were  recorded  in  Trouble  Reports,  but  corrected  before 
being  entered  into  the  data  base  so  as  to  better  support  the  Data  Flow 
Analysis,  and  to  allow  an  example  of  regenerated  reoui rements  to  be  pro¬ 
duced  via  the  RADX  documentation  capability. 

4.2.6  loenti fication  of  P-oblems  by  RAOX 

The  primary  role  of  RADX  is  the  determination  of  inconsistency  and 
incompleteness  of  the  information  in  the  data  base.  Nearly  all  the  sets 
are  created  for  those  ourposes.  The  results  of  the  RADX  runs  which  we-'e 
accomplished  at  the  completion  of  the  data  base,  are  provided  in  Annex  1. 
How  RADX  was  used  was  the  subject  of  earlier  discussions  in  Section  2  and  3 
and,  the’^efone,  will  not  be  repeated  he'^e.  ~he  results  of  ‘he  findings  or 
the  RADX  runs  shown  in  Aopendix  C  are  summarized  in  Paragraoh  -.A. 


4-lA 


4.2.7  Summary  of  Deficiency  Findings 

A  total  of  302  Trouble  Reports  have  been  written  as  a  result  of  the 
verification  effort  on  the  MOM  DFSR.  A  percentage  breakout  of  the  kinds  of 
deficiencies  reported  is  shown  in  Figure  4-5. 

The  largest  category  of  deficiencies  was  inconsistency.  This  is  not 

surprising,  given  the  large  number  of  data  names  that  were  involved  and  the 
amount  of  multiple  data  naming  caused  by  the  format  of  the  specification. 
The  process  of  coordinating  the  data  naming  must  have  been  a  large  job 
since  many  people  apparently  worked  to  produce  the  document.  This  factor 
alone  provided  significant  opportunities  for  inconsistent  naming.  The 
benefit  of  the  automated  REVS  tools  is  apparent  when  compared  to  the  manual 
approach  undoubtedly  used  in  the  MOM  DFSR.  Suppose  it  is  discovered  that  a 
data  item  inadvertently  had  been  given  two  names  and  that  an  effort  must  be 
mounted  to  correct  this  inconsistency.  In  the  manual  mode,  many  hundreds 
of  pages  would  have  to  be  inspected  to  assure  that  the  incorrect  name  was 
changed  to  the  one  that  was  to  survive.  It  would  probably  take  an  hour  or 
two  to  check  through  all  the  pages  of  the  DFSR  in  such  an  effort,  plus  the 
time  necessary  to  retype  all  the  affected  pages.  Compare  that  with  how  we 
would  fix  the  problem  with  RSL.  Suppose  the  two  DATA  items  were  in  the 
data  base  named  AAA  and  AAB,  but  the  correct  name  was  AAA.  We  would  simoly 
enter  the  RSL  command: 

MERGE  AAB  into  AAA. 

As  a  result  of  this  command,  all  the  relationships  and  all  the  attributes 
of  AAB  would  be  assigned  to  AAA,  and  the  DATA  item  AAB  would  then  be 
purged.  Thus,  if  relationships  and  attributes  equivalent  to  those  used  in 
Annexes  A,  B,  C,  and  D  were  established  by  extension  of  RSL  (as  was  done 
for  the  reouirements  regeneration  example),  this  one  command  would  correct 
the  inconsistency  everywhere  it  existed  and  we  could  be  assured  that  it  had 
been.  How  long  would  it  take?  Perhaps  15  seconds  at  the  keyboard  and  a 
very  short  computer  run. 

Deficiencies  in  the  categories  "Ambiguous"  and  "Missing''  were  the 
next  most  prevalent  types,  followed  by  "Illogical"  and  " I ncomoi ete" ,  in 
that  order.  We  have  furthe'"  segregated  the  reasons  beh’nd  these  sategories 
of  deficiencies,  and  they  are  shown  in  Figures  A-6  through  a-io,  along  with 
some  limited  Trouble  Report  examoles  of  the  Category  of  ^'•oblem  bei^g 
displayed.  The  length  of  each  bar  on  these  figures  's  related  to  the 


4-15 


percentage  of  all  the  Trouble  Reports  (left  hand  scale)  in  the  indicated 
CATEG0RY_0F_PR0BLEM.  The  number  at  the  end  of  each  bar  indicates  the 
actual  Quantity  of  Trouble  Reports  involved.  The  full  listing  of  all 
Trouble  Reports  can  be  found  in  Appendix  D. 


d.l6 


I  iijiiru  '1-10  roiii(HjfiL>ril.i,  of  Lhe  CAJiGUIVf  01  PKOiil  LM:  Incomplete 


4,3  yAOOR  MOM  DFSR  PROBLEMS 

Previous  paragraphs  have  outlined  the  kinds  o^  deficiencies  that  have 
been  reported  via  Trouble  Reports.  As  in  all  verification  efforts  we  have 
accomplished  using  SREM,  certain  problems  are  identifiable  as  oossessing 
higher  criticality  because  they  represent  situations  which  typically  result 
in  serious  difficulties  for  the  software  designer  in  implementing  the 
intended  processing  described  in  the  reauirements.  They  may  be  individual 
omissions  or  ambiguities  of  significant  import.  Or  they  may  be  groups  of 
problems  which  individually  are  minor  in  nature,  but  the  Quantity  of  which 
are  significant  enough  to  elevate  the  group  to  the  higher  level  of  criti¬ 
cality  described  in  this  paragraph. 

It  is  important  to  note  that  the  source  of  these  deficiencies  is 
solely  the  Decision  Logic  Tables  (DLTs)  in  Annex  H  of  the  DFSR,  as  sup¬ 
ported  by  Annexes  A,  B,  C  and  0  for  data  definition.  As  described  in  an 
earlier  portion  of  this  report,  we  concluded  that  the  DLTs  were  the  most 
complete  DFSR  description  of  intended  processing,  and  as  a  result,  cur 
efforts  were  focused  on  them  for  the  verification  effort.  In  so  doing,  we 
concluded  that  all  appropriate  processing  requirements  should  be  covered  in 
the  DLTs  so  that  the  software  designer  could  expect  to  find  all  the  infor¬ 
mation  he  needed  in  these  tables.  Thus,  he  shouldn’t  have  to  search  for 
obscure  footnotes,  or  through  a  large  ouantity  of  text,  for  the  key  infor¬ 
mation  he  needs  to  develop  his  design. 

This  approach  may  seem  restrictive  in  the  context  of  this  OFSR's 
since  it  is  rich  in  information,  and  since  significant  effort  has  been 
expended  in  attempting  to  completely  portray  not  only  the  necessary  pro¬ 
cessing,  but  also  the  context  of  the  overall  operations  within  which  the 
processing  requirements  reside.  However,  good  requirements  writing  prac¬ 
tice  suggests  that  fewer  errors  result  when  the  software  designer  f'nds  all 
the  information  he  needs  in  expected,  contextual ly-aopropriate  locations 
within  the  requirements  document.  Ccnseouently ,  the  discussion  that 
follows  should  be  read  in  the  light  of  these  comments.  Daid  another  way, 
some  of  the  deficiencies  outlined  in  following  paragraphs  actually  are 
addressed  in  portions  of  the  DFSR  other  than  the  DLTs,  but  our  view  is  that 
the  requirements  details  should  be  consistent  and  comoiete  within  t'^e  DL-s, 
since  that  is  the  portion  of  the  DFSR  on  which  the  software  designer  ’s 


4-23 


m 


likely  to  rely  for  determining  the  processing  reauirements  his  design  is 
expected  to  satisfy. 

The  areas  of  the  requirements  which  we  feel  could  cause  significant 
problems  for  the  software  designer,  and  which  are  individually  discussed  in 
following  paragraphs,  are  as  follows: 

•  Failure  to  initiate  certain  batch  processing  output 
reports . 

•  Failure  to  use  the  parameter  report  controls. 

•  OASS  production  and  use  inconsistencies. 

•  Work  Order  Number  character  field  confusion. 

•  Lack  of  file  purge  instructions. 

•  Missing  file  contents. 

•  Significant  Quantities  of  individually  minor 
deficiencies: 

-  Inconsistent  data  naming. 

Incorrect  OLT  referencing. 

4.3.1  Failure  to  Initiate  Certain ^ Batch  Processing  Output  Reports 

Paragraphs  4,li  and  5.9  indicates  that  the  operator  wi"!!  key  for  ^he 
accomplishment  of  cyclic  (daily,  weekly,  and  monthlyl  batch  processing 
efforts  to  produce  periodic  output  reports.  The  DLTs  which  produce  these 
reports  are  not  referenced  (called)  by  any  other  DLTs  because  the  initial 
input  (keying  by  the  operator)  is  not  found  in  a  DLT  to  start  the  batch 
processing  that  leads  to  the  output  of  the  periodic  reports,  nc"  is  an 
input  description  provided  in  Annex  A  to  indicate  that  an  input  message  is 
necessary  to  initiate  this  processing. 

Certain  other  output  reports  are  detined  in  DLTs  which  would  be  ex¬ 
pected  to  occur  during  the  chain  of  periodic  preparation  of  output  reports. 
However,  these  reports  would  not  have  been  referenced  ever,  there  h.ad 
been  a  DLT  shewing  the  operator  keying  to  initiate  periodic  report  pro¬ 
cessing.  Whereas  all  the  other  periodic  reports  are  referenced  f-'orn  one  to 
the  next  (i.e,  initiation  of  a  DLT  se'^ies  is  called  from  the  cornpl  et’ on  Cl~ 
of  a  preceding  series),  the  initiation  DLTs  of  ‘■free  reports  are  not 
referenced  from  any  other  DLT. 


A  third  category  of  output  report  deficiencies  is  those  cases  where 
one  or  more  parts  of  multi -part  output  reports  are  not  called  for  process¬ 
ing  by  a  DLT,  even  through  the  other  parts  are.  Three  different  output 
reports  fall  into  this  category. 

A  fourth  category  of  problem  exists  in  the  DLTs  where  five  output 
reports  were  not  addressed  by  any  DLT.  That  is,  the  description  of  how 
those  output  reports  were  to  be  developed  and  formatted  was  not  defined  on 
any  DLT.  Table  4.1  lists  the  periodic  output  reports  whose  problems  are 
described  above. 

4.3.2  Failure  to  Use  the  Parameter  Report  Controls 

The  parameter  for  report  control  is  added  to  the  header  segment  of 
several  fi'les  via  entry  XMZ  (Card  Designator  Code  SAMS:  E),  and  this  input 
is  described  in  DLTs.  However,  these  parameters  are  never  used  in  forming 
the  daily,  weekly,  and  monthly  output  reports,  as  would  be  expected  in 
light  of  the  comments  of  page  A-206  which  describes  the  use  of  these 
parameters . 

4.3.3  DABS  Production  and  Use  Inconsi stencies 

The  Daily  Accumulated  Batch  Storage  (DABS)  is  used  as  a  temporary 
hold  file  for  daily  inputs  entered  into  the  system.  The  information  des¬ 
cribing  the  various  input  formats  to  be  saved  by  DABS  is  found  in  Annex  D 
(Page  D-2C).  The  "Remarks"  block  of  ^age  D-2C  lists  the  incut  to  be  saved. 
Five  of  the  inputs  described  in  tne  DLTs  as  being  processing  are  not 
indicated  as  required  on  Page  D-20.  Conversely,  the  DLTs  do  not  show  the 
logic  necessary  to  process  DABS  storage  of  nine  files  that  are  recuired  by 
Annex  D. 

To  comolicate  the  orcblem,  the  input  descriotions  ot  Annex  A  a' so 
indicate  which  inputs  are  to  be  written  to  DABS,  'hose  are  inconsistent 
with  the  similar  information  indicated  in  Annex  D.  In  addition,  r’ve  o'" 
the  inputs  shown  in  Annex  A  as  being  stored  in  DABS  are  not.  defines  '  n  any 
DL"  as  being  so  stored.  Conversely,  the  DLTs  indicate  storage  to  DABS  of 
five  inputs  not  marked  for  storage  in  Annex  a.  ’"abie  '.2  "^ists  t"ese  DATS 
i nconsi stenc’ es  . 


4-25 


Table  4.2  Daily  Accumulated  Batch  Storage  (DABS)  Inconsistencies 


:a8S  ;np'jt 

PR0CZ3S 

aECU:SE.''E'IT 

STORAGE 

TO  TABS  3HCWN  :Nr 

ANNEX  A 

anne:(  3 

ANNEX  H 

<.M0 

• 

• 

• 

V 

<ME 

• 

• 

<.HE  v3) 

• 

• 

• 

XMF 

• 

(ML 

t 

• 

« 

<yM 

• 

XMN 

• 

• 

(MP  A) 

• 

• 

■n. 

<MP  (3) 

• 

• 

(MP  D) 

• 

(MP  ,e; 

« 

<MP 

• 

(MP  :.j  ) 

• 

•w> 

(MR  (A) 

• 

• 

,3) 

• 

• 

• 

<MU 

• 

• 

t 

• 

• 

(MX  ,A' 

« 

• 

- 

(MX  3) 

• 

« 

(Mz  :a) 

• 

(MZ  3) 

• 

(MZ 

<MZ  3 ; 

« 

(MZ  i: 

• 

• 

• 

•  <,“c  ■JS.'T'iN  "0  3^33  ;4L'j£  '.f  "A3.<_’a?T_;-ic_:: 

--  -^3  ::i  =a53:(:H£::3  ::;c:;at£3  :? 

4.3.4  Work  Order  Mumber  Character  F-ield  Confusion 

After  the  MOM  DFSR  had  been  published,  one  of  several  changes 
involved  the  deletion  of  a  data  element:  P  WON  (Partial  Work  Order 
Number).  It  was  to  be  understood  that  the  data  element:  "Work  Order 
Number"  was  to  supplant  P  WON  wherever  it  appeared  in  the  DLTs,  but  the 
actual  changes  to  each  affected  CLT  page  were  not  accomol i shed. 

Unfortunatel y ,  this  change  was  not  strai ghtforward .  Because  P_WCN 
had  nine  characters  while  the  Work  Order  Number  had  12,  problems  develooed 
where  subporticns  of  PJWON  were  cited  on  DLTs.  The  subportions  of  P_W0N 
and  the  Work  Order  Number  (as  to  character  location)  are  not  consistent. 
Because  of  tne  oervasive  use  of  ?  WON  throughout  the  DLTs,  handling  the 
change  in  this  fashion  probably  assures  that  subseoue^t  designers,  who  may 
not  nave  been  familiar  with  P  WON,  will  be  confused  with  the  DLTs  as  now 
written.  As  much  trouble  as  it  might  be,  there  would  be  a  distinct  benef't 


4-27 


in  modifying  all  DLT  references  to  P  WOM  to  those  appropriate  for  the  Work 
Order  Number. 

4.3.5  Lack  of  File  Purge  Instructions 

The  summary  sheets  for  various  files  in  Annex  D  indicate,  in  one  way 
or  another,  that  the  files  are  to  be  purged.  However,  with  the  exception 
of  the  WORF  and  TPR,  no  specific  indications  are  provided  in  the  DLTs  to 
describe  under  what  processing  conditions  a  specific  file  is  to  be  purged. 
Failure  to  provide  this  information  may  result  in  unintended  results  if  the 
designer  misinterprets  the  variety  of  notes  in  various  places  concerning 
purging  (none  of  which  precisely  define  the  purge  conditions). 

Thus,  if  the  purge  decision  is  to  be  made  under  software  control, 
this  control  should  be  defined  in  the  DLTs.  If  the  purge  is  under  operator 
control,  an  appropriate  input  message  (or  messages)  should  be  defined  and  a 
OLT  for  each  should  define  how  the  purge  is  to  be  accomplished  and  what 
protective  considerations  are  to  be  included. 

4.3.6  Missing  File  Contents 

The  Shop  Stock  and  Requisitioning  Process  (Shop/Shipment  Status  (AE_, 
AS_,  XMR(B))  Daily  Update  Subprocess  contained  in  DLTs  1601  through 

1630  require  the  Supply  Status  File  and  Shipment  Status  File  as  the  basis 
for  Output  Reports  C2-35-4D,  02-34-4Y,  and  also  pa-ts  of  02-99-4R.  These 
two  files  are  not  defined  by  Annex  0  (File  Descriptions'. 

For  the  purpose  of  R-NET  definition,  we  assumed  these  files  were  made 
UP  of  the  data  items  contained  in  Annex  A,  pages  A-66  and  A-71.  However, 
to  assure  that  such  assumptions  do  not  have  to  be  made  by  the  software 
designer,  these  files  should  be  defined  fully  in  Annex  D. 

4.3.7  Significant  Quantities  of  Individually  Minor  Deficiencies 
Two  observed  areas  of  deficiency  are  singled  out  as  importdnt 

problems  by  virtue  of  the  quantity  of  deficiencies  documm'-.e-i .  'hese  are 
1)  Inconsistent  data  naming  and  2)  Incorrect  referencing  of  DLTs. 

Inconsistent  data  naming  is  a  problem  founo  in  vir*ua'>ly  all  sc'^tware 
reauirements  specifications.  In  spite  of  obvious  attempts  to  attain  con¬ 
sistency,  the  sheer  quantity  of  data  items  involved  in  a  system  of  this 
type  just  about  guarantees  the  introduction  of  errors  when  a  manua'  system 


4-23 


of  requirements  definition  is  attempted.  This  problem  was  present  in  the 
MOM  DFSR,  particularly  in  the  area  of  batch  processing.  Unless  corrected, 
unintended  introductions  of  spurious  data  may  occur.  As  a  result,  one 
designer  or  coder  may  use  one  data  name,  but  the  different  names  may  be 
inadvertently  used  by  others,  thus  causing  considerable  later  problems  in 
finding  and  correcting  the  problem. 

The  second  pervasive  oroblem  area  is  that  of  DLT  referencing.  We 
believe  the  DLT  approach  is  one  of  the  better  ways  of  describing  intended 
processing  that  we  have  seen.  They  clearly  show  the  kinds  of  decisions 
intended  and  the  order  of  processing  required.  The  problem  we  experienced 
stemmed  from  inaccurate  referencing  from  one  DLT  to  the  next.  Referencing 
was  sometimes  to  the  incorrect  DLT, ‘and  sometimes  to  non-existent  OLTs. 
Problems  of  this  kind  often  arise  when  an  initial  set  of  well  referenced 
DLTs  is  subjected  to  a  change  (insertion  of  new  DL's,  or  deletion  of 
existing  ones),  and  subseauent  consistency  checking  o^  referencing  among 
the  new  set  of  OLTs  is  not  completely  accomplished.  As  mundane  as  this 
kind  of  error  is,  it  must  be  realized  tha"  many  more  hours  of  software 
designer  efforts  will  be  required  to  figure  out  what  was  intended,  than 
will  be  expended  by  the  requirements  engineer  to  modify  the  DL's  to  show 
proper  referencing. 


4.4  FIND  I  MGS  OF  SREM  PHASE  RADX  RUNS 

A  normal  step  in  the  SREM  process  involves  aoplication  of  a  standard 
set  of  static  RADX  checks  to  the  data  base  to  identify  problems  introduced 
during  its  development.  RADX  efforts  under  this  contract  where  constrained 
by  available  Government  furnished  data  processing  time  which  was  limited  to 
4  hours.  In  preparation  for  Regeneration  of  Requirements  we  extended  RSL 
to  contain  appropriate  elements,  attributes,  and  rel ationships  to  duplicate 
several  of  the  annexes  in  the  current  DFSR  directly  from  the  data  base. 
Although  this  approach  is  described  in  more  detail  in  paragraph  4.5,  it  is 
mentioned  here  since  the  larger  data  base  required  more  processing  time 
than  is  normally  experienced  in  a  typical  SREM  application.  As  a  result  of 
the  processing  time  limitation,  it  was  not  possible  to  completely  apply  the 
RADX  tool,  nor  to  completely  regenerate  the  requirements  soeci f ication . 
Instead,  we  have  developed  examples  of  these  processes  to  illustrate 
SREM's  capabilities  in  these  areas. 

A  portion  of  the  standard  set  of  RADX  checks  for  Phase  1  and  2  of 
SREM  was  applied  to  the  data  base.  In  addition.  Data  Flow  Analysis  was 
applied  to  a  portion  (one  input  message)  of  the  data  base.  These  results 
are  illustrated  and  discussed  in  Appendix  C. 


1 


A. 5  REGENERATION  OF  REOUIRENtEMTS 

With  the  completion  of  the  reouirements  data  base,  a  wide  variety  of 
documentation  is  possible.  This  variety  stems  from  the  RSL/REVS 
capability  to: 

•  Control  the  items  to  be  listed  by  the  establishment  of 
SETS  of  HIERARCHIES  of  interest. 

•  Control  the  amount  and  type  of  information  to  be 
displayed  for  each  SET  or  HIERARCHY  of  interest  by  the 
use  of  tne  APPEND  statement. 

•  Define  and  document  any  el  ent  of  interest  with  its 
appropriate  relationship  to  other  elements,  and  with  its 
attrioutes  through  RSL  extension. 

Our  approach  was  to  illustrate  how  portions  of  cu'^'^ent  DFSR  documen¬ 
tation  might  be  produced  directly  from  the  data  base.  Although  ''iteral 
copies  of  tables  can  not  be  di’^ectly  produced  trrm  the  data  base,  all  the 
information  can  be  develooed,  entered  into  the  data  base,  and  these  p’"0- 
duced  in  various  ways  to  represent  the  DFSR  documentation.  Thus,  infor¬ 
mation  was  developed  to  document  the  following  DFSR  documentation: 

•  Annex  A  -  Input  Descriptions 

•  Annex  3  -  Output  Descriptions 

•  Annex  C  -  Data  Element  Descriptions 

•  Annex  0  -  File  Descriptions 

t  Annex  H  -  Decision  Logic  Tables. 

In  addition,  other  documentation  can  be  produced,  such  as  a  totally  cross- 
referenced  listing  of  the  entire  data  has®. 

This  approach  reoresents  a  thorough,  yet  succinct,  descri oi'.i cn  of  the 
MOM  0F3R  processing  '^equired,  and  of  the  data  elements  involved  in  the 
processing.  The  most  imoortant  aspect  added  through  the  use  of  the  re¬ 
quirements  data  base  to  oroduce  this  documentation  is  consi stent  data 
naming  and  the  ’detention  of  consistency  when  data  element  names  are 
changed.  For  examcle,  i^  a  data  element  name  must  be  chanaed,  a  s'mp‘'e 
incut  is  made  to  the  data  base  which  guarantees  that  tnis  data  element  name 
will  be  consistently  changed  every  clace  the  crevicus  name  aoceared  in  any 
of  the  documentation. 


A-31 


1 


An  even  bigger  benefit  of  documentation  under  the  SREM  approach  will 
be  realized  when  there  are  changes  to  the  processing  reouirement.  ^Jo 
matter  whether  the  change  is  an  addition,  an  insert,  a  deletion,  or  a 
change  to  that  described  in  the  data  base,  the  RADX  checks  provide  assur¬ 
ance  that  the  modification  has  not  introduced  unintended  problems  elsewhere 
in  the  requirements.  Or  if  it  has,  the  problems  that  result  are  clearly 
presented  for  corrective  action. 

The  reader  is  invited  to  review  the  documentation  examples  provided 
in  Appendix  B.  There,  each  example  is  described  and  illustrated  to 
demonstrate  the  capability  to  provide  consistent  information  to  document 
the  MOM  DFSR  as  a  result  of  this  SREM  application. 


. 


» 


I 


5.0  A  SYSTEM^  iO’.'iEERlNG  APPROACH  tq  THE  EVALUATION  OF 


-T OOIREMENTS  METHGOCLCGIES 

One  of  the  thorniest  problems  in  requirements  development  is  eval¬ 
uating  the  impact  of  different  requirements  methodologies  on  the  software 
development  process.  Such  an  evaluation  technique  is  mandatory  for  a 
systematic  comparison,  and  for  selection  of  a  software  requirements  metho¬ 
dology  which  is  most  effectively  applied  to  a  specific  project.  In  this 
section,  we  will  present  a  systems  engineering  approach  to  methodology 
definition  and  evaluation.  This  is  accomplished  by  imbedding  the  require¬ 
ments  generation  in  an  overall  life  cycle  development  context  and  defining 
the  inputs,  outputs,  and  performance  indices  of  the  requirements  metho¬ 
dology.  It  is  motivated  by  the  observation  that  the  purpose  of  a  metho¬ 
dology  is  to  output  a  specified  set  of  information,  such  as  software 
requirements,  in  a  sequence  of  logical  steps  to  produce  the  final  product; 
in  this  case,  the  tested  software  product. 

Our  discussion  will  compare  the  following  requirements  techniques  to 

SREM; 

•  The  Jackson  method. 

•  CAOSAT  (or  other  PSL/PSA  versions). 

•  HOS. 

•  SADT. 

•  ICRL. 

We  will  fi^st  briefly  describe  and  compare  these  techniques  to  SREY. 
Following  that,  we  will  discuss  the  importance  of  ccmpa'"ing  the  cost  and 
performance  of  such  techniques  in  the  context  of  the  life  cycle  cost  and 
resulting  performance  of  the  software  system.  Finally,  we  will  assess  and 
compare  the  life  cycle  cost  of  each  technique. 


5.1  TECHNICAL  COMPARISON  OF  SREM  TO  OTHER  TECHNIQUES 

It  IS  impossible  in  a  few  short  pages  to  adequately  describe  the  mery 
'•equi rements  and  specification  techniques  and  compare  and  contrast  them 
with  SREM.  In  spite  of  this,  comparison  of  a  few  relevant  techniques  ■'s 
worthwhile  to  highlight  some  unique  features  of  SREM.  For  this  purpose,  a 
few  of  the  more  important  techniques,  as  previously  listed,  were  selected 
for  comparison.  The  technical  comparisons  described  below  are  summarized 
in  Table  5.1. 


Table  5.1  A  Comparison  of  Some  Recui rements  Techniques 


All  of  the  ccmoared  techniques  define  orocessing  in  te-'ms  of 
"functions'  with  inputs  and  outputs.  It  is  interesting  to  note  that  SRE''', 
HOS,  and  ICRL  attempt  to  define  a  stimul us/'^esponse  relationship  of  inuuts 
to  outputs,  while  Jac'ison,  PSL/PSA,  and  SADT  express  data  *low  but  not 


precedence  or  control  flow.  All  techniques,  except  SREM,  explicitly  define 
processing  in  terms  of  a  "hierarchy  of  functions",  whereas  SREM  is  based  on 
a  "flat"  graph  model  which  can  be  expressed  in  terms  of  a  hierarchy  of 
subnets  --  a  subtle  but  important  difference. 

Sequences  of  inputs  and  outputs  are  explicitly  defined  by  Jackson's 
technique,  partially  defined  by  SREM,  but  not  defined  by  other  techniques. 
The  comparison  of  SREM  with  Jackson's  technique  is  interesting:  Jackson 
emphasizes  definition  of  a  life  cycle  of  inputs  about  an  object,  and  des¬ 
cribes  the  life  cycle  of  processing  those  seouences,  and  thus  derives  the 
information  (state)  which  must  be  kept  in  the  data  base  about  the  object. 
SREM  requires  the  identification  of  ENTITY_CLASSes  (objects  about  which 
data  is  maintained  in  the  data  processor),  and  the  EMTITY_TYPEs  which 
compose  them  (states  of  the  entity  which  require  maintenance  of  unique  sub¬ 
sets  of  data),  and  the  DATA  which  is  ASSOCIATED  with  the  EMTITY_CLASS  and 
ENTITY_TYPEs .  Input  and  output  messages  are  identified  with  the  EhTITY_ 
TYPE,  stimulus/response  requirements  are  expressed  in  terms  of  graphs  of 
functions,  and  these  are  then  merged  together  to  fonn  the  R_NETs.  Thus, 
the  sequences  of  I/O  messages  are  partially  defined  by  the  transitions 
between  EMTITY_TYPEs . 

SREM  explicitly  provides  for  the  expression  and  analysis  of  trace- 
ability  between  a  set  of  ORIGINATING_REOUIREMENTS  and  the  final  processing 
requirements.  Versions  of  PSL/PSA  have  also  incorporated  this  capability. 
SREM  is  the  only  technique  which  addresses  the  explicit  definition  of 
performance  requirements  (response  times  and  accuracy  of  the  processing 
from  input  to  output).  This  is  done  in  four  steps: 

(1)  Paths  of  processing  are  specified  in  terms  of 
VALIDATION_PO!NTs  on  the  R_METs. 

(2)  The  paths  are  matched  with  the  CRIGIMATING_REOUIREMENTs 
which  are  applicable. 

(3)  The  ORIGINATIMG_RECUIREMENTs  performance  numbers  are 
decomposed  and  allocated  to  the  paths  of  processing  in 
a  series  of  tradeoff  studies. 

(4)  A  PERFORMANCE_?,EO'JIREMEMT  is  defined  which  CGMSTPAIhS 
the  path,  and  is  given  as  an  attribute  -EST  which 
inputs  specific  data  from  the  validation  points,  and 
outputs  either  "PASS"  or  ’TAI..". 


5-3 


The  result  is  a  set  of  PERF0RMANCE_RE;Q1jIREMENTs  with  pre-conditions  and 
decision  points  on  the  R_NET  (input  data  is  valid  but  with  an  out-of-range 
measurement),  functional  post-conditions  (specific  data  accessed,  specific 
data  updated,  specific  message  output),  and  performance  post-conditions 
(response  time  and  testable  I/O  accuracy  requirement).  The  R_MET  thus 
provides  the  mechanism  for  graphically  presenting  similarities  and  differ¬ 
ences  of  conditions  for  path  expressions. 

When  we  compare  automated  tools,  we  find  that  SREM  has  an  automated 
language  RSL  with  tools  to  check  static  DATA  consistency,  the  dynamic  DATA 
consistency  processing  of  a  single  MESSAGE,  limited  consistency  checking 
for  sequences  of  MESSAGES  (DATA  is  initialized  when  a  new  ENTITY_TYPE  is 
set)  and  tools  to  support  simulation  generation.  The  language  and  report 
generation  facilities  are  truly  user  extensible,  allowing  a  user  to  add  new 
elements,  attributes,  and  relationships,  input  instances  of  the  new  ele¬ 
ments  and  relationships,  and  retrieve  them  on  the  same  run. 

Both  Jackson  and  HOS  techniques  are  (at  the  time  of  this  writing) 
currently  manual,  but  tools  are  being  developed.  SADT  has  been  partially 
automated  by  Boeing  Computer  Services  as  AUTOIDEFO.  lORL  has  automated 
tools  on  a  mini-computer  for  defining  information  in  a  text-file  and 
diagram  data  base,  and  limited  consistency  analysis  is  available  via 
comparison  of  parameter  tables. 

The  comparison  of  RSL  to  PSL  is  worth  special  attention.  PSL  defines 
processing  requirements  in  terms  of  elements,  attributes,  and  rel aticnships 
by  defining  a  hierarchy  of  functions,  data,  etc.  R  METs  were  defined  as  a 
mechanism  for  defining  sequences  of  processing  requirements  before  RSL  was 
defined.  In  seeking  an  approach  for  defining  a  language  expressing  these 
concepts,  TRW  noted  the  PSL  work  and  decided  to  express  RSL  in  terms  of 
elements,  attributes,  rei  ationshi  ps ,  and  structures  (R  'IET5,  SL'BNETS)  to 
define  the  stimul  us/ response  conditions.  REVS  was  then  developed  us'ing  tne 
FORTRAii  Data  Base  Management  System  used  by  PSA.  In  turn,  later  versions 
of  PSA  incorporated  data  consistency  checking  techniques  first  develocea 
for  REVS,  and  techniques  for  automated  simulator  generation  (first  deve¬ 
loped  for  REVS)  are  under  development  for  PSA.  Thus  PSL/PSA  and  RSL/RE/5 
have  had  a  substantial  interactive  effect  on  one  another. 

The  ccmbination  of  a  precise  machine  processable  language  with  whic'^ 
to  describe  the  software  requirement  consistently  and  unambiguously,  an 


5-4 


integrated  consideration  of  structures  which  define  the  logic  of  processing 
in  terms  of  the  data  flow,  the  automated  capability  to  test  consistency, 
completeness  and  traceability  of  the  requirements  data  base,  the  automated 

capability  to  build,  exercise,  and  analyze  a  simulation  of  processing  using  ! 

the  actual  requirements  data  base,  all  accomplished  in  precise  ways  estab¬ 
lished  within  the  methodology,  makes  SREM  a  truly  powerful  software  engi¬ 
neering  tool.  Other  competing  software  engineering  tools  have  some  com¬ 
parable  features  to  portions  of  SREM's  integrated  capability.  But  none  of 
them  possess  all  the  features  of  SREM.  TRW  insisted  from  the  start  that 
SREM  be  developed  in  accordance  with  carefully  thought  out,  formal  founda¬ 
tions,  and  that  it  be  capable  of  supporting  the  complete  software  require¬ 
ments  engineering  task. 

Another  reason  why  SREM  excels  is  due  to  its  approach  of  defining 
logic  of  processing  in  an  R_MET  as  a  response  to  each  of  the  input  messages 

that  the  data  processor  may  receive.  The  competing  software  engineering  ]| 

tools  still  maintain  the  functional  hierarchy  as  a  starting  point.  We 

believe  that  if  functions  are  to  be  defined,  they  can  be  more  appropriately 

defined  after  the  completion  of  the  definition  of  processing  logic  which 

occurs  from  the  stimulus-response  approach.  At  that  time,  appropriate 

partitioning  becomes  more  obvious  and  results  in  less  arbitrarily  defined 

functi ons . 

Two  other  factors  suggested  the  appropri ateness  of  the  stimulus- 
response  approach,  as  the  methodology  was  initially  being  designed.  The 
first  factor  we  observed  was  that,  with  requirements  defined  under  the 
traditional  functional-hierarchy  approach,  the  first  thing  testers  had  to 
do  was  identify  the  various  paths  of  processing  in  the  system  so  that  they 
could  determine  what  software  testing  was  aopropriate.  We  decided  that  if 
this  was  to  be  done  anyway,  why  not  wr^te  »-equi  rements  that  way  to  start 
with?  The  second  factor  we  observed  was  that  preliminary  or  process  design 
also  depends  heavily  on  understanding  the  logic  of  orocessing  flow.  He'^e 
again,  it  made  better  sense  to  provide  the  designer  with  the  headstart  that 
the  stimulus-response  approach  provides. 

This  completes  our  look  at  technical  comparisons.  Let  us  next  turn 
to  another  way  to  evaluate  requirements  techniques;  a  look  at  the  life 
cycle  costs  for  using  them  to  develoo  and  maintain  software  reoui  remo'^ts . 

5-5 


5.2  THE  SYSTEM  EHGIHEERING  APPROACH  FOR  EVALUATION 

The  starting  point  of  this  discussion  is  presented  in  Figure  5-1, 
which  illustrates  that  the  life  cycle  methodology  will  input  a  problem 
statement  and  all  subsequent  modifications,  and  will  output  a  sequence  of 
versions  of  the  software  documentation  end  proouct;  the  methodology  ends 
when  the  last  version  is  retired  from  service.  Note  that  the  output  in¬ 
cludes  not  only  the  software  product,  but  all  levels  of  documentation  and 
development  effort  for  the  product.  This  includes  documentation  of  the 
requirements,  their  allocation  to  design  elements,  interface  design,  test 
plan,  and  the  development  plan  (including  cost  and  schedule)  for  component 
development,  integration,  and  test  (including  the  development  of  any  neces¬ 
sary  integration  of  test  tools  and  test  procedures).  The  performance  cri¬ 
teria  appropriate  to  the  overall  methodology  is  the  total  life  cycle  cost 
and  estimates  of  the  performance  of  the  software  system  produced  by  each 
methodology.  Note  that  these  are  separate  indices  so  that  tradeoffs  may 
occur  between  them. 

The  life  cycle  cost  can  be  expressed  in  terms  of  the  costs  of  devel¬ 
oping  each  version,  plus  the  costs  of  operating  each  version.  The  system 
performance  is  a  function  of  the  operating  performance  of  each  version  of 
the  product.  The  cost  of  the  methodology  to  develop  a  revised  version  of 
the  product  is  dependent  on  the  set  of  tools  output  by  the  lest  version, 
and  the  lack  of  such  tools  would  increase  the  costs  of  developing  the 
revised  version  substantially. 

The  performance  indices  of  the  activities  to  plan  and  to  coordinate 
design  and  development  can  be  stated  as  the  overall  cost  and  schedule  of 
the  development  effort.  However,  this  does  net  allow  an  assessment  of  the 
true  total  cost  of  requirements.  That  is,  it  does  not  show  the  downstream 
cost  of  fixing  requirements  errors,  nor  the  costs  of  mooifying  the  reouire- 
ments  and  design  in  response  to  changes  in  the  original  '•equ'' '■ements.  To 
get  to  this  level  of  detail,  we  must  decompose  the  methodology  to  highlignt 
these  activities.  \ 

Figure  5-2  highlights  the  activities  of  fixing  errors  and  modifying 
the  requirements  and  design.  The  equations  at  the  bottom  of  Figure  5-2 
present  ’relationships  between  the  overall  cost  to  develop  the  first  versien 
and  the  perfornance  indices  of  the  activities  in  this  figure.  A  necessary 
consideration  of  the  activity  to  define  reouirements  is  not  only  the  cost 


5-0 


SYSTEM  PERFORMANCE 


- 1  I  J  FIX  RQTS 

FIX  Rf)TS  |*i  &  design 


of  the  requirements  generation  itself,  but  also  the  number  of  errors  re¬ 
maining  in  those  requirements.  The  total  development  cost  then  includes 
not  only  the  costs  of  planning,  defining  requirements,  defining  design,  and 
producing  the  product,  but  must  also  include  the  cost  of  fixing  errors, 
plus  revision  of  the  requirements/design/product  in  response  to  every 
requirements  change. 

The  considerations  presented  to  this  point  have  been  fairly  generic 
in  nature,  in  that  they  could  describe  almost  any  system  or  software  re¬ 
quirements  methodology.  However,  any  further  decompositions  will  neces¬ 
sarily  become  methodology  and  tool  specific.  Figure  5-3  presents  an  over¬ 
view  of  how  that  might  occur.  Each  step  of  the  methodology  is  defined  in 
terms  of  specified  inputs  and  outputs,  and  then  decomposed  into  activities 
which  can  be  allocated  between  manual  procedures  for  using  tools,  and  the 
capabilities  required  of  the  tools,  to  support  the  methodology.  The  inter¬ 
face  between  the  procedures  and  the  tools  constitutes  the  requirements  on 
the  man/machine  interface.  That  is,  they  become  the  requirements  on  the 
syntax  for  inputs  to  the  tools  and  for  presenting  the  results  back  to  the 
user. 

The  performance  indices  of  the  requirements  methodology  can  then  be 
decomposed  into  costs  and  schedules  for  each  of  the  steps,  which  in  turn 
are  decomposible  into  costs  for  the  man  and  the  costs  of  the  support  tools. 
Thus,  each  methodology  can  be  described  in  terms  of  the  sequence  of  steps 
of  using  the  tools  to  achieve  a  sequence  of  results,  yielding  different 
estimates  of  costs  and  rates  of  errors  contained  in  the  requirements.  The 
costs  of  requirements  can  now  be  assessed  in  terms  of  this  model  by  tracing 
the  costs  associated  with  each  of  the  outputs  of  the  requirements  phase 
( see  Figure  5-2) . 

The  cost  of  requirements  starts  with  the  consideration  of  the  cost  of 
generating  the  initial  requirements  (including  man  and  tool  costs),  but 
that  is  only  part  of  the  total  cost  of  a  methodology.  We  must  be  cognizant 
of  the  following  considerations,  as  well: 


5-9 


PERFORMANCE  RELATIONSHIPS 


•  Because  the  costs  of  errors  can  be  very  significant  (as 
we  shall  see  shortly),  it  is  generally  cheaper  to  verify 
requirements  so  as  to  discover  errors  early,  rather  than 
to  find  them  and  fix  them  later.  Since  a  methodology 
may  or  may  not  include  verification,  the  requirements 
generation  costs  should  be  separated  into  two  pieces: 
the  cost  of  requirements  definition,  and  the  cost  of 
requirements  verification. 

•  The  output  of  the  requirements  activity  is  the  require¬ 
ments  used  to  perform  design.  If  the  requirements  con¬ 
tain  errors,  additional  requirements  and  design  work 
will  be  necessary  to  identify  the  errors,  correct  the 
requirements,  and  then  correct  the  design.  In  turn, 
when  the  design  is  complete  and  code  is  being  produced 
and  tested,  additional  code  and  test  costs  may  occur  in 
response  to  correcting  requirements  errors  at  that 
stage.  To  capture  these  effects,  we  will  assign  all 
design  and  development  costs  to  fix  errors  to  the 
requirements  activity;  if  there  were  no  requirements 
errors,  there  would  be  no  such  costs. 

•  As  modifications  to  the  original  problem  statement 
occur,  the  requirements  must  be  revised  to  reflect  these 
changes.  The  costs  of  modifying  the  requirements  can  be 
attributed  to  the  requirements  phase,  but  the  design  and 
production  costs  are  usually  allocated  elsewhere.  Mote 
that  as  requirements  are  modified  (even  if  only  1  per¬ 
cent  of  the  requirements  are  changed),  all  of  the  re¬ 
sulting  requirements  must  be  re-verified  to  assure  that 
the  requirements  changes  are  consistent  with  the 
remaining  requirements.  Note  also  that  the  requirements 
may  be  modified  hundreds  of  times,  and  thus  this  reveri¬ 
fication  cost  can  become  significant  if  not  supported 
with  automated  tools. 

•  Since  the  requirements  are  used  as  the  starting  point  of 
design,  additional  work  may  be  necessary  to  translate 
them  to  a  form  usable  in  the  design  effort.  Assume  fo'^ 
the  purpose  of  this  discussion  that,  if  such  transi ■ on 
is  necessary,  the  requirements  activity  should  a'^si: 
half  of  the  costs. 

•  Since  the  requirements  must  be  publisned  in  an  accept¬ 
able  form,  the  translation  costs  into  an  acceotable 
documentation  format  must  be  included  as  part  of  the 
requirements  costs. 

•  Since  the  reouirements  are  the  starting  point  test 
planning,  the  costs  of  translating  them  so  that  test 
case  procedures  can  be  designed  should  also  be  tharged 
to  the  reouirements  activity. 


5-11 


Figure  5-4  presents  a  summary  of  these  costs  and  reflects  that  each  of  the 
above  costs  must  be  paid  for  each  version  of  the  software  system.  This 
includes  the  initial  development  as  well  as  all  the  versions  that  must  be 
developed  during  the  system's  life  cycle. 


TOTAL  COST  HQTS  « 


VERS10N_K 


ca 


MOD_1 


C0STJ5EF1NE_RQTS_1 
+  C0ST_VER1FY_RQTS_1 

+  ^  COST_FIX_ERROR_J 
j 

+  COST_TRANSLATE_TO_  DESIGN/2 
+  COST_TRANSLAT£_TO_TESTA8L£ 
+  C0ST_D0CUM£NTATI0N 


Figure  5-4  Cost  of  Requirements 


5-12 


1 


5.3  THE  COST  OF  FIXING  ERRORS  VERSUS  VERIFICATION  COSTS 

The  Equation  of  Figure  5-4  can  be  analyzed  from  a  number  of  view¬ 
points.  First,  consider  that  the  cost  of  fixing  errors  grows  as  a  function 
of  when  the  error  is  discovered  during  the  system's  life  cycle.  Figure 
2-1,  shown  earlier,  presents  an  estimate  of  the  relative  costs  of  fixing 
errors  as  a  function  of  error  discovery  time  derived  from  data  supplied  by 
IBM,  GTE,  and  TRW  projects.  Suppose  we  postulate  that  if  we  performed  only 
99  percent  of  the  requirements  job,  this  would  result  in  errors  which  would 
be  discovered  throughout  the  remainder  of  the  design  and  implementation 
phases  (ignoring  maintenance  fcr  the  moment).  This  would  require  that  1 
percent  of  the  requirements  job  be  completed  later,  as  well  as  the  effort 
necessary  to  correct  the  design  and  code  and  to  retest  the  system.  If  we 
assume  that  50  percent  of  the  errors  would  be  found  at  Preliminary  Design 
Review  (PDR),  that  50  percent  of  the  remaining  errors  were  found  at  Criti¬ 
cal  Design  Review  (CDR),  that  50  percent  of  the  remaining  errors  were  found 
during  development  test,  and  that  the  remainder  were  found  at  acceptance 
test,  then  the  graph  of  Figure  5-5  results.  Combining  the  results  of  this 
graph  with  the  costs  by  phase  of  Figure  2-1,  we  find  that  if  90  percent  of 
the  requirements  effort  were  successfully  completed  during  the  requirements 
phase,  the  remaining  10  percent  would  still  result  in  a  doubling  of  the 
total  requirements  cost.  If  only  80  percent  of  the  requirements  were 
completed,  then  the  cost  of  the  requirements  would  increase  by  a  factor  of 
five.  If  we  assume  the  requirements  to  cost  20  percent  of  the  project 
budget,  then  the  whole  software  development  project  would  approximately 
double.  Finally,  if  only  50  percent  of  the  requirements  were  completed 
during  the  requirements  phase,  the  total  project  costs  would  approximately 
quadruple  (i.e.,  300  percent  overrun). 

Another  data  point  on  cost  can  be  extracted  from  TRW s  Systems 
Technology  Project  experience.  Cn  that  oroject,  reoui rements  were  defined 
using  Engagement  Logic,  which  is  a  non-automated  version  of  the  RSL 
functional  requirements.  It  required  flow  charts  which  identified  sequen¬ 
ces  of  processing  steps  for  each  input  message,  showed  decision  points  and 
algorithms,  and  described  inputs  and  outputs  for  each  algorithm.  It  took 
approximately  30  man-months  to  produce  each  new  version  of  the  Engagement 
Logic,  and  to  check  it  for  consistency.  This  consistency  checking  was 
performed  manually  and  took  approximately  10  to  15  man-months  per  version. 


5-13 


9 


RQTS  1 
+  Fixj 


ROTS 


SES31-04S 


a  - 

7  - 
6- 
S  - 
4  - 
3- 
2- 
1- 


ERROR  DISCOVERY 
1/2  at  for 

1/4  AT  CDR 

1/8  AT  DEVEi.OPME.NT  TEST 

1/0  AT  ACCEPTANCE  TEST 


T - 1 - )! - 1 - 1 - 1 - 1 - - 1 - r~ 

10  20  40  60  30  100 

ERRORS  FOUND  IN  INITIAL  REQUIREMENTS 


Figure  5-5  Example  Analysis 


It  is  interesting  to  note  that  this  level  of  validation  led  to  a  signifi¬ 
cantly  smaller  number  of  errors  at  integration  and  acceptance  test  time, 
because  the  data  flow  had  been  thoroughly  verified  during  the  requi '•eme.nts 
phase.  It  is  also  interesting  to  note  that  the  same  type  of  data  flow 
analysis  can  be  performed  by  REVS  on  a  CDC  o-iOO  in  about  10  minutes  of 
processing  time  at  a  cost  of  approximately  SlOO  for  comouter  time,  ''h-'s 
shows  the  significant  reduction  in  the  cost  of  attaining  consistency  with 
verification  using  automated  tools. 


5.4  SOFTWARE  REQUIREMEMTS  METHODOLOGY  EVALUATION 

The  equation  of  Figure  5-4  can  be  used  to  guide  the  evaluation  of 
different  requirements  methodologies  in  terms  of  comparing  their  respective 
life  cycle  costs.  Table  5.2  provides  an  overview  of  the  relative  costs  of 
four  techniques  to  define  requirements  for  a  large  project  which  we  will 
assume  will  experience  at  least  10  significant  requirements  modifications. 


Table  5.2  Relative  Costs  on  Large  Projects 


COST  ELSMEiNT 

RELATIVE  METMCCOL 

OSf  CCS 

TS 

S^M 

(PSL.PSA) 

riOS 

igrl 

SADT 

JACKSON 

MANUAL 

REQUlREHEi'lTS  OENERATIOf. 

H 

M 

M 

M 

M 

L 

L 

REQUIREMENTS  VERIFICATION 

VL 

M 

M 

Si 

M 

H 

number  errors 

VL 

M 

M 

,M 

M 

H 

REQU I  REMEtlTS  MOO !  F I  CAT  I  Oft 

M 

M 

M 

M 

M 

H 

TRANSLATION  FOR  QE5IGN 

? 

■? 

■ 

? 

• 

M 

? 

OOCUMENTATION 

VL-M 

VL-M 

VL-M 

VL-M 

VL-M 

L 

VL-M 

TRANSLATION  FOR  TESTABlLlTV 

VL 

H 

L 

M 

rt 

M 

H 

TOTAL  cos: 

L 

M 

M 

M 

‘1 

M 

H 

The  methodologies  selected  were  those  of  SREM,  CADSAT  (or  other  versions  of 
PSL/PSA  produced  by  Dr.  Teichroew  at  the  University  of  Michigan),  lORL 
(produced  by  Teledyne  Brown),  HOS,  SADT,  the  Jackson  Design  Method,  and  a 
standard  state-of-the-art  manual  technique  to  produce  a  MIL  STD  490.  The 
analysis  substantiating  the  estimates  of  cost  are  discussed  below. 

•  Requirements  Generation:  Assume  that  the  cost  of 
denmng  requirements  in  an  automated  form  is 
significant.  Then,  since  SREM  requires  definition  of 
more  information  than  CADSAT,  lORL,  HOS,  or  SADT,  one 
could  argue  that  it  would  be  more  costly  to  use  SREM  to 
define  requirements;  and  these  would  be  more  costly  than 
the  purely  manual  Jackson  or  f'^ee-fom  technique.  This 
assumption  may  be  incorrect  in  that  it  may  understate 
the  advantages  of  a  structured  methodology  for  focusing 
effort  on  a  specific  sequence  of  steps,  compared  to  the 
degree  of  effort  dissipated  without  such  focus. 


5-15 


•  Requirements  Verification:  The  REVS  automated  analyzers 
provide  a  much  more  thorough  analysis  for  a  low  cost 
than  can  be  achieved  by  hand.  CADSAT  has  a  limited 
number  of  analyzers  (e.g.,  can  check  that  all  data  has  a 
legal  source  and  sink,  but  cannot  check  for  correct  data 
flow  because  sequences  of  processing  are  not  represent¬ 
able  in  PSD.  lORL,  HOS,  and  SADT  similarly  are  weaker 
in  automated  checks.  Thus,  if  the  same  level  of 
consistency  is  to  be  achieved  with  these  tools  as  with 
REVS,  additional  man-hours  must  be  spent.  The  amount  of 
effort  necessary  to  manually  verify  requirements  for  a 
manual  free-form  or  Jackson  technique  will  be  even 
higher  than  for  CADSAT  and  lORL,  because  of  a  total  lack 
of  automated  tools. 

•  Number  of  Errors:  Error  counts  will  be  lowest  with  SREM 
because  of  the  automated  analyzers;  if  we  assume  that 
the  HOS,  CADSAT  and  lORL  analyzers  will  remove  specific 
classes  of  errors,  then  these  will  be  lower  than  the 
errors  in  the  manual  specification.  Except  with  SREM, 
the  data  flow  type  of  errors  are  typically  not  found 
until  integration  test  time,  where  they  are  very 
expensive  to  fix. 

•  Requirements  Modifications:  Assume  for  the  moment  that  the 
cost  to  modify  requirements  using  any  automated  technique  is 
about  the  same.  The  cost  of  modifying  a  manual  specification 
will  be  higher  because  of  the  necessity  to  trace  all  impacts 
of  the  change;  the  automated  tools  of  the  other  techniques 
should  assist  the  modification  process.  The  cost  of  SREM  is 
medium,  instead  of  high,  because  of  the  additional 
traceability  techniques  used  during  the  requirements 
generation  activity. 

•  ~ranslation  to  Design:  This  is  left  as  an  open  issue 
because  of  the  1 acK  of  a  standard  design  technique, 
except  for  tne  Jackson  Technique. 

t  Documentation  Costs:  These  costs  can  vary  from  very  low  to 
medvum  j' ’ng  automated  techniques  (depending  on  whether  the 
automat  'cumentaticn  oroduced  is  in  acceotable  format!, 
and  va-^u  'Vom  lew  to  medium  for  manual  techniques, 
depend ng  on  desired  format  and  assuming  that  the  analysis 
has  been  performed.  For  axamole,  an  existing  RSL  data 
base  for  a  medium,  sized  software  project  has  been 
translated  into  a  standard  3-5  speci f ication  in  a  few 
weeks  with  about  3  to  A  people.  This  is  small  in 
comparison  to  the  time  to  generate  such  requirements 
manual  1 y . 

•  Translation  to  Attain  Testable  Recui rements : 

Since  RSL,  oy  cesi gn ,  proauces  testaole  requirements, 
the  effort  to  translate  these  into  a  form  for  performing 
test  planning  is  very  low.  ICRL  has,  as  one  of  its 


■15 


character! sties ,  the  statement  of  stimulus/response 
requirements,  but  does  not  completely  identify  the 
information  to  be  measured,  and  the  accuracy  require¬ 
ments  to  be  met  in  testable  terms,  so  that  additional 
work  is  necessary.  The  great  weakness  of  both  CADSAT, 

SADT  and  a  standard  manual  requirements  technique  is 
that  the  resulting  requirements  are  not  testable,  there¬ 
by  requiring  a  considerable  effort  to  translate  them 
into  a  testable  form.  The  HOS  technique  results  in 
testable  functional  requirements,  but  does  not  address 
explicitly  issues  of  accuracy. 

•  Total  cost:  If  we  assume  for  a  medium  to  large  project 
that  several  requirements  modifications  will  take  place, 
then  the  costs  of  requirements  generation  and  documenta¬ 
tion  will  be  dominated  by  the  costs  of  performing  veri¬ 
fication  and  the  costs  of  fixing  all  requirements 
errors.  This  leads  to  the  conclusion  that,  since  SREN' 
identifies  and  reduces  requirements  errors  more 
effectively  than  other  techniques,  the  overall  costs 
will  be  lower  than  those  of  CADSAT,  HOS,  SADT  and  lORL, 
and  that  these  will  have  lower  overall  costs  than  a 
manual  technique. 

The  conclusions  of  this  analysis  are  a  function  of  project  type, 
project  size,  and  the  design  quality  of  the  software.  If  the  cost  of  an 
error  in  the  software  is  not  large  (i.e.,  can  be  lived  with,  or  fixed  when 
discovered),  then  the  needed  level  of  verification  may  be  lower.  If  the 
size  and  complexity  of  the  software  is  small,  and  there  will  be  no 
significant  modifications  to  the  requirements,  then  an  individual  analyst 
may  be  able  to  perform  verification  in  his  head  as  effectively,  and  with 
little  more  effort  than  with  automated  tools.  However,  for  large  seftwa'-e 
applications,  or  those  requiring  significant  design  quality,  the  use  of 
SREM  becomes  advantageous. 


5-17 


m 


5.5  CONCLUSIONS 

At  least  two  interesting  implications  can  be  derived  from  this 
approach  for  defining  overall  the  cost  of  requirements  generation: 

•  Methodology  cost  cannot  be  properly  evaluated  on  the 
basis  of  a  one  time  application  during  the  requirements 
phase.  As  we  have  seen,  a  significant  portion  of  the 
cost  of  a  requirements  methodology  is  a  function  of  when 
the  errors  are  discovered,  and  which  techniques  were 
used  to  correct  them.  A  project  which  has  had  detailed 
reviews  at  PDR,  CDR,  etc.,  will  probably  find  more 
requirements  errors  earlier  than  one  which  does  not.  In 
addition,  the  cost  of  translation  of  requirements  into  a 
form  useful  for  software  design,  test  planning,  and 
project  documentation  is  project  dependent.  Finally, 
the  required  quality  of  software  and  degree  of  risk 
acceptable  to  the  project  of  late  delivery  due  to 
correction  of  errors  detected  during  acceptance  testing 
is  also  project  dependent.  Thus,  without  consideration 
of  these  parameters,  no  true  evaluation  of  the  cost  and 
relative  merit  of  a  software  requirements  methodology  is 
possible. 

•  The  leverage  of  automated  tools  on  the  cost  of  require¬ 
ments  generation  comes  from  a  simple  fact:  even  though 
only  1  percent  of  the  requirements  may  be  modified,  al 1 
of  the  remaining  requirements  must  be  verified,  and  the 
documentation  must  be  modified  correctly  to  reflect  the 
changes.  Thus,  since  modification,  verification,  and 
documentation  are  repeated  many  times  on  real  projects, 
tools  which  efficiently  verify  and  document  the  changes 
have  a  higher  payoff.  Finally,  because  the  total  cost 
of  the  requirements  is  lower  with  automated  tools,  it 
may  be  possible  to  use  some  oT  the  extra  funding  to 
search  a  wider  design  space  in  order  to  reduce  the 
operational  costs  of  the  software,  or  to  increase  the 
overall  effectiveness  of  the  software  itself. 


5-18 


6.0  ASSESSMENT  AND  RECOMMENDATIONS 


In  this  section  we  will  first  consider  the  applicability  of  SREM  to 
Army  management  information  systems.  Next,  we  will  discuss  the  kinds  of 
problems  we  encountered  that  may  be  typical  to  SREM  verification  efforts  on 
management  information  systems.  Finally,  in  light  of  the  problems  found, 
we  will  recommend  enhancements  that  would  increase  SREM's  capability  for 
requirements  formulation  and  requirements  verification. 

6.1  APPLICABILITY  OF  SREM  TO  ARMY  MANAGEMENT  INFORMATION  SYSTEMS 

The  essential  functions  of  a  management  information  computer  system 
are  to  support  the  collection,  correlation,  analysis,  retention,  and  dis¬ 
play  of  information  and  to  support  analysis,  decisions,  dissemination,  and 
other  activities  necessary  to  perform  the  military  mission.  While  the 
range  of  systems  and  the  support  missions  may  be  quite  broad,  most  manage¬ 
ment  information  systems  have  similar  generic  character! sties  that  dis¬ 
tinguish  them  from  weapon  systems  with  embedded  computers  --  the  type  of 
system  for  which  SREM  was  initially  conceived. 

One  of  the  key  characteristics  of  a  management  information  system  is 
that  it  cannot  be  totally  automated.  There  is  a  man  in  the  loop,  and  he  is 
there  to  accomplish  appropriate  data  entry,  make  situation-dependent  deci¬ 
sions,  apply  judgement,  and  permit  appropriate  responses  to  a  variety  of 
inputs  that  cannot  be  fully  anticipated.  Computer  support  is  provided 
where  fixed  procedural  operations  can  be  defined  and  where  automation  is 
needed  to  eliminate  drudgery,  handle  load  requirements,  and/or  net  response 
times.  Since  a  fixed  algorithm  for  performance  of  the  mission  cannot  be 
specified  except,  perhaps,  in  broad  generalities,  the  user  is  given  spe¬ 
cific  automated  capabilities  and  the  ability  to  apply  them  in  sequences  and 
combinations  of  his  choosing  to  perform  his  particular  job.  Heavy  emohasis 
on  human  engineering  and  man/machine  interface  is  necessary  to  make  the 
system  effective  and  responsive. 

The  va-iety  of  different  message  types  entering  and  leaving  the 
system  is  large,  and  formats  may  be  diverse.  Data  base  structures  are 
typically  large,  varied,  and  complex.  Cross-correlation  of  data  structures 
is  extensive,  collections  of  data  elements  may  be  used  in  multiple  roles, 
and  data  base  management  may  be  complicated  by  security  requirements. 


6-1 


While  requirements  for  application  software  embedded  in  weapon  sys¬ 
tems  can  be  expressed  in  terms  of  the  engagement  logic  and  operating  rules 
of  the  weapon  system,  it  is  often  difficult  to  specify  requirements  for 
management  information  system  software  in  similar  terms.  First,  the  data 
processor  capabilities  for  management  information  systems  are  often  multi¬ 
purpose  and  their  actual  use  is  determined  by  the  user  within  a  particular 
situation  context.  Second,  the  possible  variety  of  stimuli  to  such  systems 
is  often  so  large  that  complete  definition  of  all  possible  uses  may  not  be 
possible. 

Even  in  consideration  of  these  differences,  SREM  can  be,  and  has 
been,  applied  to  systems  with  the  characteri sties  of  management  information 
systems.  Examples  of  past  applications  of  SREM  by  TRW  to  such  systems  are 
outl ined  in  Table  6.1 . 

Table  6.1  Description  of  Management  Information  Systems  to  Which 
SREM  Has  Been  Applied 


SYSTEM 

TYPE 

APPLICATION 

DESCRIPTION  OF  SYSTEM  OR  EFFORT 

CV-ASWM 

VERIFICATION 

THIS  SYSTEM  SUPPORTED  THE  COMMAND  AND  CONTROL  OF  ALL 

(U.S.  MAVY) 

ASPECTS  OF  ASW  FROM  A  CARRIER.  IT  IffCLUOEO  INFORMATION 

ON  ALL  THREATS;  ALL  AIR,  SURFACE.  ANC  SUB-SURFACE 

FRIENDLY  LOCATIONS;  ALL  ASW-SYSTEM  LOCATIONS 

(SUCH  AS  S0N08U0YS);  and  INFORMAIIUN  ABOUT  ALL  RESOURCES 

THAT  could  be  brought  TO  SEAR  ON  THE  ASR  EFFORT 

HAVDAC  BUSINESS 

OEMONSTRATION 

•NAVDAC  IS  the  naval  DATA  AUTOMATION  COMMAND,  RNIC.i  nAS 

DATA  PROCESSING 

RESPONSIBILITY  FOR  ALL  '■SuSINESS”  DATA  PROCESSING 

(U.S.  NAVY) 

(NON-TACTICAL  SOFTWARE).  SREM  «AS  APPLIED  TO  TWO 

SAMPLE  PROBLEMS  TO  ASSESS  THE  APPLICABILITY  OF  SREM. 

THESE  WERE  THE  SURFACE  .WARFARE  DATA  INTERPRETATION 

SYSTEM  (SWAROIS),  AND  THE  CONT I NGE.NCY  A,MM.UNITI0N 
REQUIREMENTS  AND  SUPPORTABILITY  SYSTEM  (CARESS). 

1 HAUK/  T ;0"  j 

DE.WMSTRATION 

THE  IMPROVED  HAWK  SYSTEM  SOMMUN I C.ATE S  THE  AN.  TSQ-TS 

;u,s.  army; 

MISSILE-MINDER  CCWANO  AND  CONTROL  SfSTEM.  THIS  STUDY 
PRODUCED  AN  RSL  OATA  BASE  FOR  THE  IHAWK  SOFTWARE  REOUIRE- 
MENTS  INCLUDING  THAT  RESULTING  FROM  INTERFACE  WITH 
AN/TSO-/'5. 

6-2 


6.2  SREM  APPLICATION  TO  TYPICAL  MANAGEMENT  INFORMATION  SYSTEMS 

Application  of  SREM  to  these  systems,  as  well  as  to  the  MOM  DFSR, 
presented  certain  unique  application  challenges  that  caused  some  additional 
methodology  concepts  to  be  addressed.  These  will  be  discussed  in  following 
paragraphs. 

6.2.1  CV-ASWM  Application 

One  of  the  most  unique  application  challenges  had  to  do  with  how  to 
define  the  concept  of  a  PPI  scope  filled  with  symbology,  all  of  which  could 
move,  could  be  individually  blinked,  could  be  at  several  levels  of  display 
intensity,  could  be  individually  deleted,  added,  or  temporarily  inhibited, 
and  which  required  various  classes  of  items  (such  as  all  surface  vessels) 
to  be  inhibited.  Until  that  point  in  time,  the  concept  of  SREM  dealt  with 
the  arrival  of  a  single  MESSAGE,  determination  of  appropriate  processing, 
and  the  output  of  resulting  MESSAGES  to  other  subsystems  of  the  weapon 
system,  but  not  to  display  consoles.  Now,  for  the  first  time,  we  had  an 
operator  in  the  loop  and  a  complex  visual  display  to  contend  with. 

Under  old  considerations,  each  change  to  an  object  on  the  screen 
would  have  been  a  new  output  MESSAGE  to  the  CONSOLE.  This  would  have  been 
exceedingly  cumbersome  and  the  resulting  R  NETs  would  have  been  difficult 
to  understand.  Our  solution  was  to  create  a  display  ENTITY_CLASS  that 
contained  all  the  information  about  each  item  on  the  scope,  plus  all  the 
data  required  for  their  display  control.  Thus,  for  each  instance  in  the 
EMTITY_CLASS  there  were  control  DATA  items  to: 

•  Indicate  if  the  symbol  was  blinking. 

t  Describe  the  symbol's  level  of  display  intensity. 

•  Indicate  whether  or  not  the  symbol  was  inhibited. 

In  this  way,  deletion  of  a  displayed  item  could  be  accomplished  by 
having  its  instance  of  the  display  ENTITY_CLASS  OESTRC^ED  3Y  an  aporopriate 
ALPHA.  Similarly,  new  objects  were  added  to  the  display  ENTITY  CLASS,  when 
appropriate,  by  being  CREATED  3Y  a  different  ALPHA.  Any  change  in  the  con¬ 
trol  data  for  the  display  was  also  indicated  in  this  ENTITY  CLASS  by  chang¬ 
ing  the  value  resident  in  the  appropriate  Control  DATA  item. 

Thus,  at  any  instant  of  time,  the  appropriate  conditions  of  each  item 
in  the  display  ENTITY  CLASS  were  defined  by  the  value  held  by  the  control 


6-3 


DATA  in  each  instance  of  the  display  ENTITYJZLASS.  We  then  defined  the 
display  processing  as  a  self-enabling  R_MET  which  was  initiated  when  the 
system  was  turned  on,  and  which  re-enabled  itself  using  an  EVENT  at  the 
display  refresh  rate.  What  the  R_NET  did  each  time  it  was  enabled  was  to 
access  each  instance  of  the  display  ENTITYJILASS  which  was  not  inhibited 
(via  a  FOR  EACH  node)  and  used  the  DATA  values  of  that  instance  in  an 
output  MESSAGE  to  the  console. 

A  new  challenge  was  to  describe  the  controls  for  accessing  the  sys¬ 
tem's  data  base,  and  for  allowing  changes  to  be  made  and  examined  at  the 
console  without  actually  changing  the  data  base.  This  was  done  by  estab¬ 
lishing  a  "copy"  of  the  data  base  for  use  (which  meant  temporary  estab¬ 
lishment  of  a  second  ENTITY_CLASS)  in  the  RSL  data  base  to  represent  the 
copied  one  for  operator  use. 

It  was  also  necessary  to  maintain  information  identifying  the  opera¬ 
ting  mode  of  each  console,  since  certain  functions  were  available  only 
while  the  console  was  in  a  particular  mode.  This  was  accomplished  by 
establishing  an  ENTITY_CLASS  for  console  control  with  the  requisite  control 
DATA.  This  also  required  that  the  first  node  on  each  R_MET  which  was 
ENABLED  BY  the  !NPUT_INTERFACE  from  the  consoles  be  checked  to  determine 
the  console's  operating  mode  to  determine  whether  the  MESSAGE  that  had  just 
entered  was  legal  for  that  mode. 

These,  and  other  new  challenges,  had  to  be  met  in  applying  SREM  to 
the  CV-ASWM.  All  of  them  were  overcome  with  a  solution  within  th^  -apabil- 
ities  and  constraints  of  the  existing  RSL  and  REVS  capabilities. 

6.2.2  NAVDAC  Appl ication 

It  was  concluded  in  the  NAVDAC  study  that; 

"While  some  modification  to  the  REVS  tools  and  SREM  methcoolsgy  2re 
indicated,  the  approach  developed  originally  for  tactical  oroolems 
appears  to  be  adaptable  to  BOP  (Business  Data  Processing)  neeos." 

NAVDAC  Business  Data  P'^ocessing  can  be  divided  into  four  major  functional 

categories : 

•  Logistics  -  procurement,  maintenance  and  transportation 
of  military  mate’^ial,  etc. 

•  Financial  Management  -  accounting,  approori ati on  , 
financial  projections,  et.. 


6-4 


•  Administration  -  management  information,  executive 
functions  and  decisions,  etc. 

•  Personnel  -  historical  and  current  personnel  data. 

Because  of  the  close  similarity  of  the  MAVDAC  requirement  to  a  man¬ 
agement  information  system,  such  as  the  MOM  DFSR,  we  have  excerpted  the 
portion  of  the  NAVDAC  Final  Report  that  describes  and  evaluates  the  use  of 
SREM  and  the  limitations  experienced.  Systems  to  which  SREM  was  applied 
are  first  described; 

"3.1.1  Surface  Warfare  Data  Interpretation  System  (SWARDIS) 

The  SWARDIS  is  the  initial  increment  of  an  ADP  system  that  ultimately 
will  provide  the  staff  of  the  Deputy  Chief  of  Maval  Operations 
(Surface  Warfare)  (Op-03)  with  all  ADP  capabilities  required  to 
support  the  Op-03  functions  arid  procedures  involved  in  the 
preparation  of  the  Navy's  Program  Objectives  Memorandum  (POM).  The 
objective  of  the  SWARDIS  is  to  convert  data  from  the  Department  of 
the  Navy  Five  Year  Program  (DNFYP)  files  maintained  by  the  Navy  Cost 
Information  System  (NCIS)  to  a  file  structure  that  conforms  to  the 
0p-03  resource  management  concepts  so  that  the  0p-03  staff  can 
prepare  reports  using  NCIS  Five  Year  Defense  Program  (FYOP)  data 
couched  in  Op-03's  management  terminology.  System  design  concepts 
allow  the  user  staff  to  specify  whatever  data  file  structure  is 
deemed  appropriate,  to  define  the  user  staff  organization  and 
responsibilities  (cognizance)  for  user  programs,  and  to  establish  up 
to  eight  means  of  "prioritizing"  the  resource  requirements  for  which 
the  user  is  responsible." 

"3.1.3  Contingency  Ammunition  Requirements  and  Supportabi 1 i ty  System 
(CARESS)  Model _ 

The  CARESS  model,  developed  for  the  Weapon  Logistics  Readiness 
Division  (J42)  of  CINCLANTFLT,  calculates  the  conventional  ordnance 
needed  to  support  a  contingency  situation  or  a  specific  Operational 
Plan  (CPLAN)  and  determines  whether  or  not  the  Navy  can  meet  the 
needs  on  a  daily  basis.  The  model  determines  and  allocates  task 
force  ammunitior.  reouirements  on  a  day-by-day  basis,  and  then  tests, 
for  each  day,  the  availability  of  the  required  ordnance  and  the 
ability  of  ammunition  ships  assigned  to  the  task  force  to  deliver  the 
ammunition  wnen  it  is  reouired.  If  a  plan  is  not  supcontable,  the 
model  may  indicate  some  of  the  factors  responsible.  If  the  desired 
ordnance  is  not  available,  attempts  are  made  to  substitute  ordnance 
from  compatible  weapon  stocks." 

" .  the  CARESS  REVS  data  base  is  comparati vely  large.  Desoite  its 

size  and  complexity,  we  developed  a  comorehensi ve  processing 
structure  for  the  problem  within  four  weeks  after  start,  ana  had 
identified  major  critical  issues,  without  previous  exposure  to  the 
application  area." 


3.2  ASSESSMENT  OF  APPLICABILITY 


This  section  presents  TRW's  assessment  of  SREM  applicability  tc  Navy 
BOP  problems,  based  on  evaluation  of  representative  documentation  and 
development  of  the  selected  sample  problems." 

"3.2.1  Project  Si^e  and  Complexity 

Table  6.2  summarizes  the  Navy  BOP  problems  reviewed,  presents  an 
estimate  of  complexity,  and  indicates  the  applicability  of  SREM 
supported  by  the  automated  tools.  The  complexity  of  the  system  was 
estimated  by  TRW  using  factors  defined  by  DoD  Standard  7935. 1-S. 

Table  6.2  Survey  of  SREM  Applicability  to  NAVDAC  Applications 


UiUn 

ACRONYM 

OOCfjKntAriOH 

$«CN 

llAJifU 

OC^tl 

APPLlCAnOd 

coMPtfiiri 

ESlIMAff 

ALHAARS 

SCACIV  It 

NAROAC,  mASH.  OC. 
au.>oo2.  jYwoi 
(MAH  74] 

« 

Y(9 

»-13 

»  CONPllCATEU  iroiC 
»  REOOIRCS  OPEkATIlmAl  AianmINC 

AMO  pCOELInO  {iRtariSE 
»  >«}R(  COnPtEl  Than  caress 

fUUUAC,  hA^H  9.C. 

^0-01 

iJiA  ;fli 

t€S 

(APRINOII  A| 

US 

2i-)i 

»  REOUIMCS  iTStii 

OfSION  (ifEAtlSf  and 

ANllCifAtlOH  Of  LAIA  EftlBY  (kPIXS 

NAAGAC.  «ASH  0  C. 

:UIOOI  ,  JM-OIA  ^NOV  in) 

MvCQiSAC' 

fO-ai  tSER  75) 

TfS 

(JtffCNOIt  9) 

T(S 

•  tcmiCAUo  lOf.ic 

1  Rt'XtRfS  COMlI'.i.fACT 
•tJULiNG  LXPtAil'iC 

MYCOSSACT 

<}?J004. 

(jt’N  n) 

PAIIIH 

•  UNOtfiNCD  UVtR  OuCBT 
•(gUlREAfNlS  a)IN.D  H 

AREA  :StM  IS  AiOlO 

NAVCCSSACI 

iWJI  7i) 

NAmM. 

M> 

2i 

»  ROUHNE  UON-WtH  k.AlA 

CONti.'llOAtl'lN  *M>  a(P>)BriNG 

StSKN 

vAyt  O  C. 

4iMlOU.  FO-ll 
(JAN  79) 

<■) 

Wl 

70 

*  SlNPltfKO  JS(A  INrERfACe 
rfllH  tlMlUb  'n’MJ. 

PRU«*>T11I0.  UMPlAttO  |N»Mt 

NAilOAC.  kASJI  }  C. 

02AO/4.  ro-oi 

(UA  771 

(lUHSlON 

CipIRImEnT 

SrsUN 

l(Ul 

14 

•  eiTENSlOS  <A7I.AP  9E  'JSlfUi 

FON  USi[7*S  WUM  kX 
cornu  tBAb(07f  ISSi'tS 

S  "UX  (SdHAU  duU  '.lAMUABO  Jtii  l-S  CSlUaiA 


The  break-point  for  full  SREM  applicat’on  would  appear  to  be  a 
complexity  level  of  about  25.  More  complex  projects  would  benefit 
from  full  use  of  the  automated  tools.  Less  complex  projects  would 
benefit  from  manual  utilization  of  the  (SREM)  concepts  down  to  a 
level  of  2C  to  21.  Below  this  level,  bene^’ts  would  decrease  to  a 
negligible  value  for  software  i^eaui  rements ,  although  extension 
applications  at  the  system  level  might  be  worthwhile. 

Two  factors  should  qualify  these  estimates.  First,  we  estimated 
complexity  values  without  previous  expe’^ience  in  using  this  standa'-i. 
Experienced  NARDAC  oersonnel  might  derive  nigher  or  lowe''  values  for 
these  projects.  The  break-even  point  should  be  calibrated  accord- no 
to  their  assessment  of  comolexity. 

Second,  the  DoD  Standard  complexity  factors  do  not  include  a  d'rect 
measure  of  the  logical  ccn.plexity  of  the  application.  Nor  do  they 
differentiate  between  the  complexity  of  the  user's  information 
processing  problems  and  the  problems  of  physical  imol  ementat' on .  ''he 


6-6 


logical  complexity  may  be  inferred  from  the  number  of  people  assigned 
to  the  project  and  its  costs,  but  other  contributing  factors  also 
influence  those  variables,  including  the  overall  size  of  the 
appl ication . 

Presuming  logical  complexity  roughly  equivalent  to  SWARDIS  or  CARESS, 
applications  roughly  one- tenth  of  their  size  could  benefit  from  use 
of  SREM.  Indeed,  one  of  the  significant  advantages  of  SREM  is  that 
it  reveals  the  true  size  and  complexity  of  problems,  often 
underestimated  by  purely  verbal  descriptions." 

Certain  RSL  extensions,  which  are  easily  made  because  of  RSL ' s  exten¬ 
sibility  feature  were  found  to  be  required.  Of  more  interest,  however,  are 
the  limitations  that  deserve  REVS  enhancements.  These  include  the 
capabil ity : 

•  For  an  additional  value  for  the  attribute  TYPE  as  it 
applies  to  DATA  to  provide  for  ALPHANUMERIC  DATA.  The 
current  DATA  TYPES  include  INTEGER,  REAL,  BOOLEAN,  and 
ENUMERATION.  REVS  would  need  to  be  changed  to  represent 
this  TYPE  of  DATA  in  simulations,  and  its  use  to  qualify 
an  OR  node  branching  decision  would  have  to  be  worked 
out. 

•  For  complex  ordering  of  an  ENTITYJSLASS ,  ENTITY_TYPE  or 
FILE  on  a  multiple  set  of  keys  (primary,  secondary, 
tertiary,  etc.).  Currently,  one  can  define  the  transi¬ 
tion  from  one  ordering  to  another  only  by  describing  a 
long,  detailed  sequence  of  processing  steps. 

•  For  a  sequential  FOR  EACH  mechanism  to  perform  a  pro¬ 
cessing  step  on  each  instance  of- a  set,  in  a  specified 
set  order. 

f  To  express  WHILE  and  UNTIL  conditions  for  a  FCR  EACH. 

The  current  FOR  EACH  is  intended  to  specify  that  all 
instances  be  processed,  and  if  this  is  to  Oe  done  only 
until  some  state  is  reached,  it  currently  cannot  be  so 
defined,  structurally. 

•  For  a  SELECT  capability  on  a  MAXIMUM  or  MINIMUM  value  of 
the  DATA  in  some  instance  of  an  ENTITY_CLASS ,  ENTITY 
TYPE,  or  FILE.  This  capability  does  not  now  exist,  "Sut 
the  need  for  it  frequently  occurs  in  management  infor¬ 
mation  systems. 

The  above  REVS  changes,  of  course,  would  require  ”E~HODCLCGY  morn f i cati cns , 
as  wel 1 . 


5-7 


1 


6.2.3  IHAWK/TSq73 

This  was  a  large  demonstration  effort  accomplished  in  1977-78  to 
determine  whether  SREM  was  as  applicable  to  tactical  missiles  as  it  was  to 
8MD  systems.  The  conclusion  on  applicablity  of  RSL/REVS  for  the  study  are 
shown  in  Table  6.3  and,  as  indicated,  certain  RSL  enhancements  were  recog¬ 
nized  as  beneficial.  These  are  briefly  discussed  below. 

Table  6.3  SREM  Applicability  to  the  IHAWK/TSQ73  Application 


•  THE  MAJOR  DIFFERENCES  BETWEEN  IHAWK  AND  PREVIOUS  BMD  SYSTEM 
CONSTRUCTS^  FROM  THE  STANDPOINT  OF  DIFFERENT  TYPES  OF  SOFTWARE 
REQUIREMENTS,  ARE: 

-  OPERATOR  COMMAND  ORDERS 

-  DISPLAY  PROCESSING 

-  C^  DATA  LINK  PROCESSING  (MESSAGE  SEQUENCING,  DATA  LINK 
CAPACITY,  INTERIM  OUTPUTS) 

-  SUBSYSTEM  SENSING  (CONTINUOUS  INPUT  INTERFACES) 

•  RSL  WAS  ABLE  TO  SPECIFY  ALL  CONDITIONS  IMPOSED  BY  IHAWK  (WITHOUT 
USE  OF  THE  EXTENSION  SEGMENT) 

•  SOME  CHANGES  TO  THE  LANGUAGE  WERE  IDENTIFIED  THAT  WOULD  PROMOTE 
EASE  OF  EXPRESSION  AND  USER  CONVENIENCE 

-  NON-TERMINAL  OUTPUT  INTERFACES 

-  CHANGES  IN  ENUMERATED  DATA 

-  STANDARD  FUNCTIONS  IN  CONDITIONALS 

-  ADDITIONAL  RSL  WRITE/mODIFY  AIDS 


6 . 2 . 3 . 1  Mon-t8*-Tii nal  Cutout  Inte^-faces 

The  need  to  specify  the  output  a  sequence  of  '^ESSAGEs  occurred  'O'" 
the  transmission  of  MESSAGES  over  a  data  link.  An  indirect  approach  had  to 
be  taken  to  express  this  type  of  requirement  in  RSL.  ~he  information  that 
MAKES  the  MESSAGE  had  to  be  saved  in  EILEs  and  an  R_MET  that  accesses  the 
'^ILEs  and  determines  the  MESSAGE  to  transmit  had  to  be  developea.  Gy 
allowing  0UT?'JT_'M‘i'ERFACE5  to  serve  as  non-terminal  'odes  in  a  structure, 
such  as  shown  in  Figure  5-1,  this  type  of  ’'equi '■ement  houIq  be  easier  to 
specify  and  :nore  unde  "standaole  in  RSL.  Currently,  an  TJTR'JT  INTERFACE 
terminates  a  branch  of  orocessing. 


6-8 


r 


/ 

FORM  MESSAGE  MI 

^  MjxjT  y 


I 


FORM  MESSAGE  M2 


^  M_OIJT  y 


Figure  6-1  Illustration  of  Sequential  MESSAGE  Output  Using 
Non-Terminating  OUTPUTJNTERFACEs 

6. 2. 3. 2  Changes  in  Enumerated  DATA 

The  use  of  enumerated  DATA  provides  a  clear  expression  of  the  meaning 
of  DATA  values.  For  example,  it  is  clearer  to  state  that  the  values  for 
SENSORS  are  ''IPAR,  ICWAR,  IHPI"  than  to  state  the  values  as  0,  1,  or  2 . 
There  are  two  changes  pertaining  to  the  use  of  enumerated  DATA  that  would 
make  it  more  useable: 

•  Allow  the  use  of  the  value  of  an  enumerated  DATA  item  in 
the  standard  conditional.  For  example; 

SELECT  ENTITY_CLASS  TRACK  SUCH  THAT  (TRACKjYPE  = 

REMOTE ) 

WHERE 

DATA  TRACKjYPE  is  of  TYPE  ENUMERATION  with  a  RANGE 
"LOCAL,  REMOTE". 

Current  -"ules  only  allow  either  numerical  values  in  the 
conditional  statement  such  as; 

SELECT  £NTITY_CLAS3  TRACK 

SUCH  THAT  (TRACK  NR  =  9A) 


6-9 


or  the  comparison  of  two  named  DA'A  items  in  the 
conditional  statement,  such  as 

SELECT  ENTITY  CLASS  TRACK 


SUCH  THAT  (TRACK_NR  =  TRACK_NR_IN ) . 

Thus,  an  enumerated  value  (which  is  defined  as  a  value  stated  in  words) 
cannot  currently  be  used  in  a  conditional  statement. 

6. 2. 3. 3  Allow  Standard  Functions  in  Conditional  Statements 
Currently,  the  reference  of  standard  math  functions  in  conditional 

expressions  is  not  allowed  in  RSL.  For  systems  such  as  IHAWK  (that  perform 
a  lot  of  geometric  computation)  a  capability  to  use  standard  functions  in 
conditional  statements  would  provide  a  more  natural  expression  of  software 
requirements.  Examples  are; 

•  IF  (ABS( RANGE)  >  RNG_LIMIT). 

•  SELECT  TRACK  SUCH  THAT  (SIN(AZ)  >  SECTOR). 

6 . 2 . 3 . 4  Provide  the  Capability  to  Assign  a  Particular  Attribute  and/or 
Relationship  to  a  Collection  of  Elements 

An  example  of  how  this  might  be  useful  is  when  a  set  of  modi fications 
are  to  be  entered  into  the  requirements  data  base  as  the  result  of  a  change 
to  the  software  specification  on  which  the  requirements  data  base  is  based. 
RSL  has  an  attribute  called  VERSION  which  allows  changes  to  be  recognized 
by  adding  this  attribute  to  all  new  data  base  entries  that  are  the  result 
of  such  a  change.  Currently,  each  such  element  has  to  be  stated  as  the 
subject  element  to  which  this  attribute  VERSICN  can  then  be  assigned.  What 
is  being  sought  here  is  a  method  of  providing  the  replication  of  the 
VERSICN  attribute  in  a  more  automatic  manner  to  all  effected  elements. 

6 . 2 . 3 . 5  VOM  DFSR  Application 

The  difficulties  we  have  experienced  with  the  '-'CM  DFSR  have  primarily 
been  those  of  scale,  as  were  described  in  Section  3.C.  «e  also  experienced 
several  of  the  limitations  outlined  above,  plus  two  wnich  were  apparently 
not  encountered  on  other  e'^forts. 

The  first  enhancement  that  would  have  been  useful  would  be  the  capa¬ 
bility  to  show  the  SELiCTion  of  an  instance  of  an  ENTIT'^  CLASS  or  ENTI'’'^ 


6-10 


A 


TYPE  which  possesses  the  DATA  item  that  has  the  next  higher  (or  "lower) 
value  to  that  DATA  item  in  the  currently  SELECTed  instance  of  the  EMTITY_ 
CLASS  or  ENTITY_TYPE.  To  describe  this  requirement  unde*^  current  metho¬ 
dology  is  cumbersome. 

A  second  area  we  encountered,  which  is  unexpressible  within  the 
current  structure  capabilities,  was  the  Real-Time  requirement  XMH  starting 
with  DLT  619.  The  essence  of  this  part  of  the  requirement  is  that  when 
CARD_DSG_CD_SAMS  is  input  with  a  value  of  A,  and  INQ_ACT_CD  has  a  numeric 
value,  a  look-up  table  is  accessed  where  a  particular  data  element  name  is 
linked  to  the  INQ_ACT_CD.  The  intent  is  to  use  the  data  name  to  access  its 
equivalent  data  name  in  a  previously  specified  file;  either  the  WCRF  or  the 
TPR.  This  would  require  a  memory  map  showing  the  location  of  the  desired 
data  element  so  that  the  data  element  at  that  location  could  be  accessed 
and  its  value  displayed. 

Conceptually,  access  via  data  location  is  at  a  different  level  than 
that  used  to  describe  normal  application  requirements.  For  example,  in 
RSL,  an  instance  of  an  ENTITYJCLASS  may  be  accessed  such  that  some  DATA 
item  in  the  EMTITY_CLASS  possesses  a  particular  boolean  condition.  This 
may  relate  to  a  comparison  of  the  value  in  the  DATA  item  to  a  real  integer 
number,  or  the  boolean  expression  may  be  true  for  some  comparison  of  values 
of  two  DATA  items.  Both  of  these  conditions  were  illustrated  in  Paragraoh 
6. 2. 3. 2  for  the  ENTITY_CLASS;  TRACK.  The  meaning  for  a  statement  of  the 
type  such  as  (TRACK_NR  =  TRAC:<_MR_IN)  is  that  the  va"^  ue  resident  in  TRACK_ 
MR  is  equal  to  the  value  resident  in  TRACK_MR_IM.  The  portion  of  the 
requirement  described  above  requires  that  the  eouality  be  accomplished  by 
comparing  the  DATA  name  in  the  look-up  table  to  the  equivalent  name  in  the 
ENTiTY_CLASS  of  interest.  Because  this  type  of  comparison  is  not  possible 
within  the  current  SREM  concepts,  it  is  not  possible  to  describe  that 
portion  of  the  XMH  process  on  a  structure.  Fortunately,  tne  designe'-s  of 
SREM  contemplated  that  not  every  software  requirement  which  mi  chi  arise 
could  be  defined  on  a  structure.  Thus,  the  element:  'dMSTRCC"‘DRED_REr.'J RL- 
MEMT  was  included  as  an  RSL  element  for  such  an  occur'^ence.  An  'JMS'RLC- 
TURED_R£GL!IREMEMT  was  used  to  define  this  MCM  DFSR  '-eoui '•e:':ont  t‘'‘- 

requirements  data  base,  'able  6.4  shews  the  lim-ftaflors  . . 

various  SREM  aeplication  as  described  aoeve. 


-mxnv 


SREM  APPLICATION 

CV-ASWH 

NAVOAC 

IHAWK/TSQ-73 

q; 

OO 

a 

8 

RSL/REVS  ENHANCEMENTS 

1.  DATA  ATTRIBUTE  TYPE  VALUE;  ALPHANUMERIC 

• 

• 

B 

2.  COMPLEX  ORDERING  OF  ENTITY_CLASS.  ENTITYJYPE,  AND  FILE 

B 

B 

■ 

3.  SEQUENTIAL  FOR  EACH 

B 

B 

Bi 

4.  FOR  EACH  WHILE  (OR  UNTIL) 

m 

B 

■ 

5.  SELECT  ON  MAXI.MUM  OR  MINIMUM  VALUE  Of  DATA  ITEM  IN  AN 
ENTITY_CLASS  OR  ENTITYJYPE 

■ 

1 

1 

B 

6.  tiON-TERMlNAL  QUT?UT_lNTERFACEs 

■ 

B 

B 

7,  ENUHERATEO  DATA  USE  IN  CONDITIONAL  EXPRESSIONS 

B 

B 

fl 

1 

a.  MATH  FUNCTIONS  USE  IN  CONDITIONAL  EXPRESSIONS 

■ 

B 

fl 

9.  EXPRESSION  OF  THE  MEMORY  LOCATION  OF  A  DATA  ITEM 

■ 

1 

B 

1 

10.  SELECT  ON  THE  NEXT  HIGHER  OR  LOWER  VALUE  OF  A  OATA  ITEM 

B 

1 

■ 

Bi 

Table  6.4  Enhancements  needed  for  Various  SREM  Applications  to  Systems 

with  Characteristics  Similar  to  Management  Information  Systems 


1 


6.3  SREM  ENHANCEMENTS 

Table  6.4,  previously  presented,  outlines  certain  of  the  enhancements 
we  would  have  found  useful  in  the  application  of  SREM  to  various  kinds  of 
non-BMD  systems.  We  believe  that  all  of  the  enhancements  are  worth  consi¬ 
dering-  with  the  exception  of  Item  9.  The  concept  of  application  of  SREM  to 
the  level  requiring  manipulation  of  data  based  on  memory  locations  is  at  a 
level  of  detail  not  contemplated  for  SREM.  Further,  requirements  of  this 
kind  can  be  stated  textual ly  much  more  easily  and  clearly. 

The  other  nine  enhancements  would  be  useful  to  ease  application 
efforts,  and  to  produce  clearer  understanding  for  the  software  designer, 
than  is  the  case  using  current  concepts.  Based  on  our  efforts  to  date, 
however,  we  believe  we  can  work  around  these  limitations  satisfactorily, 
even  if  enhancements  were  not  pursued.  Although  it  would  be  necessary  to 
investigate  the  scope  of  these  enhancements  to  determine  their  impact  on 
REVS  translation,  RADX,  and  simulation  functions,  it  is  fair  to  say  that 
they  probably  are  not  trivial. 

One  additional  capability  would  have  great  utility  in  the  software 
requirements  development  process;  the  capability  to  automatically  produce 
the  software  requirements  document  in  an  appropriate  format  from  the  RSL 
data  base.  Currently,  various  RADX  conmands  can  be  used  to  present  ele¬ 
ments  of  the  data  base  in  various  ways.  The  sample  regeneration  of  re¬ 
quirements  for  a  portion  of  the  MOM  DFSR  in  Appendix  B  is  an  example  of  the 
current  capability.  Although  RADX  provides  a  lot  of  flexibility  it  cannot 
produce  a  specification  in  a  current  Army  format.  It  would  be  feasible, 
however,  to  add  this  capability.  Of  all  the  possible  improvements 
discussed,  a  "specification  generator"  of  this  type  is  probably  the  most 
important  and  would  add  a  truly  useful  capability  for  Army  SREM  users. 


6-13 


6.4  A  COMPLEMEMTARY  TOOL  FOR  SREM 


As  we  have  discussed,  SREM  is  a  methodology  which  provides  the  ap¬ 
proach,  the  language,  and  the  automated  tools  to  1)  define  the  software 
requirements  from  the  system  level  requirements,  or  2)  verify  the  adequacy 
of  an  existing  software  requirement.  If  it  is  the  Army's  intention  to 
utilize  the  full  power  of  SREM  by  applying  it  to  defi ne  software  require¬ 
ments  (as  opposed  to  only  its  verification  role)  then  TRW s  Performance  and 
Cost  Analysis  Model  (PERCAM)  is  a  logical  complementary  tool  at  the  system 
level . 

PERCAM' s  primary  role  is  the  investigation  of  overall  operating 
considerations  for  computer  systems,  to  identifying  bottlenecks  caused  by 
resource  constraints,  and  to  provide  a  quick-response  tool  for  evaluating 
the  capabilities  and  costs  of  different  arrangements  or  types  of  processing 
equipment  to  accomplish  an  overall  requirement.  Investigation  might  con¬ 
sider  processing  loads  over  time,  and  the  adequacy  of  throughput,  queue 
loading,  memory  capacity,  communication  data  rates,  etc.,  to  handle  these 
loads. 

Using  results  of  these  simulations,  PERCAM  would  present  a  comparison 
of  the  alternative  processing  arrangements ,  computer  hardware  candidates, 
and  the  resulting  costs  of  the  approaches  under  consideration.  It  could 
suggest  the  best  arrangement  of  core  versus  off-line  memory,  the  number  and 
location  of  operators  needed,  and  where  critical,  the  speed  of  response  to 
operating  loads.  Its  relationship  to  SREM  is  through  the  identification 
ORIGINATIMG_REOUIREMENT  that  must  be  imposed  on  the  software  for  the 
desired  system. 

PERCAM  also  is  useful  in  assessing  operational  changes  under  consid¬ 
eration  which  would  impact  processing  on  an  existing  system.  It  provides 
suggestions  for  alternative  computer  and/or  communication  '•esources  to 
handle  the  changed  processing  loads  or  throughput  requirements,  or  the  best 
reallocation  of  existing  resources  to  support  the  changes. 

Of  course,  there  are  many  ways  of  solving  problems  of  this  type.  The 
purpose  of  the  remainder  of  this  discussion  is  to  describe  PERCAM  and  to 
highlight  its  rapid  turn-around  capability,  its  low  cost  of  aopl i cati o" , 
and  the  simplicity  of  its  use,  when  compared  to  other  tools  which  exist  for 
analysis  of  this  type. 


1 


Analysis  tools  for  use  in  conducting  tradeoff  studies  and  in  evaluat¬ 
ing  system  elements,  complete  systems  and  system  families  in  a  dynamic 
simulation  are  categorized  in  two  general  types.  The  first  type  comprises 
simple,  easy-to-use  models  (usually  based  on  linear  prograirming,  game 
theory,  etc.)  that  accommodate  only  gross  system  descriptions  and  cannot 
directly  measure  the  effect  of  variations  in  system  components,  organiza¬ 
tional  structure,  or  scenario.  The  second  type  is  characterized  by  complex 
and  detailed  time-dependent,  high-fidelity  system  simulations  which  are 
inflexible,  require  large  and  detailed  data  bases,  a  high  degree  of  user 
skill,  and  which  provide  highly  detailed  re-sults. 

The  research  and  development  planning  process  usually  calls  for  the 
rapid  evaluation  of  candidate  systems  and  system  components  under  condi¬ 
tions  which  represent  current  or  projected  system  capabilities  and  scena¬ 
rios.  The  necessity  to  quickly  eval uate  the  effects  of  variations  in 
component  performance,  cost,  and  system  configuration  preclude,  in  many 
cases,  the  use  of  the  simpler  models  during  this  stage.  While  it  is  pos¬ 
sible  to  use  a  large-scale  conventional  simulation  to  tradeoff  studies 
involving  changes  in  system  configuration  and  in  system  component  charac¬ 
teristics,  the  required  setup  time  and  the  computer  and  manpower  resources 
is  frequently  much  larger  than  the  plan  development  task  could  support. 

An  analysis  tool  to  assess  these  early  requirements  should  provide 
quick  turn-around  analyses,  be  easily  adaptable  to  a  variety  of  problems 
and  to  a  variety  of  requirements  fidelities,  incorporate  the  ability  to 
represent  and  to  vary  scenarios  and  operational  doctrines,  permit  the 
presentation  of  interaction  of  the  proposed  system  with  its  operational 
environment,  and  incorporate  the  model  which  permits  comparative  effective¬ 
ness  evaluation  of  dissimilar  systems.  The  TRW  systems  analysis  tool, 
PERCAM,  has  been  developed  to  meet  these  requirements. 

PERCAM  is  a  simulation  methodology  which  provides  a  set  of  software 
tools  to  automate  simulation  generation  directly  from  Event  Logic  Trees 
(ELTs)  —  a  graphic  model  of  system  logic  and  control.  The  key  elements  of 
PERCAM  simulation  methodology  are:  the  ELTs  modeling  technique,  the  PERCAM 
preprocessor  and  underlying  simulation  superstructure.  Systems  architec¬ 
ture  and  software  modeling  is  accomplished  with  the  preprocessor  which  uses 
a  library  of  FORTRAN  components  similar  to  macros  to  construct  simulation 
models  according  to  user  inputs.  The  structure  of  the  simulation  is 


6-15 


modular,  flexible,  and  specifically  designed  to  provide  high  visibility  to 
system  engineers  and  designers.  Changes  to  system  parameters,  individual 
system  models,  or  system  configuration  are  easily  accomplished.  PERCAM  is 
operable  on  the  CDC  and  VAX  11/780  computer  systems. 

Event  Logic  Trees  (ELTs),  illustrated  in  Figure  6-2,  are  structured 
graphical  representations  of  the  sequence  of  actions  performed  by  a  system 
in  its  operating  environment.  The  ELT  consists  of  a  series  of  linked 
functional  blocks  which  describe  the  operational  paths  the  system  may  take 
to  reach  any  number  of  termination  points.  Branching  within  the  tree  is 
controlled  by  various  decision  nodes. 

The  transformation  step  from  the  ELT  description  to  the  PERCAM  input 
description  is  straight-forward  and,  in  fact,  can  be  considered  as  a  "cook¬ 
book"  approach.  Since  the  ELT  is  constructed  with  specific  components  in 
mind,  each  point  on  the  ELT  corresponds  to  a  particular  component  and  thus, 
the  specific  data  for  that  component  will  be  defined  by  the  user  when  the 
ELT  is  transformed  into  a  computer  processable  input  description. 

PERCAM  provides  a  quick  response,  low  cost  capability  for  exposing 
system  operational  issues  via  system  simulation.  The  PERCAM  methodology 
facilitates  quick  assessment  of  degraded  nodes  of  system  operation,  makes 
possible  the  determination  of  the  key  operational  characteristics  of  alter¬ 
nate  system  configurations ,  provides  a  bulk-filter  to  determine  critical 
issues  and  high  impact  design  tradeoffs,  and  at  the  same  time  provides 
insight  into  peak  loading  effects  and  throughput  bottlenecks. 

Flexibility  and  long-term  growth  potential  are  an  inherent  feature  of 
the  PERCAM  concept.  Since  the  component  library  can  easily  be  updated  and 
modified,  component  availability  can  be  upgraded  to  keep  pace  with 
evolutional  developments.  New  PERCAM  components  can  be  added  to  represent 
new  and  innovative  logic  concepts  or  to  simply  chain  together  a  set  of 
often  utilized  macros. 

Growth  potential  for  PERCAM  based  simulation  is  significantly 
enhanced  due  to  the  high  level  self-documenting  communication  qualities  of 
ELT  descriptions.  Systems  Analysts  are  freed  from  the  fears  and  complexity 
of  large,  slowly  evolving  customized  simulation  codes  whose  developers  are 
no  longer  available. 


6-16 


u. 

0 

< 

>• 

0 

' — 

LU 

g: 

X 

2^ 

2; 

0 

< 

cc 

LU 

u. 

0 

LU 

0 

1- 

q: 

2 

co 

UJ 

H- 

-  r 

1— 

> 

CL 

co 

6 

LLl 

CO 

f- 

•— i 

LU 

Z 

0 

CO 

t— 

1— 

h- 

LU 

"Z. 

> 

< 

< 

< 

z 

M 

< 

CO 

1— 

CO 

-J 

g: 

0 

> 

CO 

CO 

2 

LU 

_J 

UJ 

X 

UJ 

a. 

CO 

< 

ZI 

cc 

g; 

21 

0 

z 

c 

c 

LU 

u 

< 

_1 

CO 

2 

Lj_ 

> 

LL. 

UJ 

UJ 

z 

h- 

LU 

Q 

0 

z 

0 

LU 

U 

h- 

0 

H- 

I— 

LU 

0 

H- 

co 

Q 

t— 

H- 

LU 

>- 

z 

Q 

< 

UJ 

0 

U. 

LU 

CO 

< 

LU 

< 

m 

LU 

rs^ 

a 

g: 

t— 

LU 

2) 

0 

LU 

QC 

< 

0 

LU 

2if: 

0 

> 

< 

U 

Z 

cc 

LL 

— 

LU 

:g 

z 

1— 

0 

_J 

Q 

ro 

>— 

GC 

'_) 

< 

z 

CO 

lU 

UJ 

H- 

t— 

CO 

LU 

z 

00 

t- 

t— 

0 

I— 

LJ 

>- 

CO 

U 

rD 

z 

< 

LU 

cO 

0 

U 

5= 

Z 

CO 

zc 

■j_ 

0 

0 

z 

< 

51 

Uj 

rv- 

LU 

0 

cc 

Q. 

LU 

P 

LL 

rz 

0 

<0 

h— 

00 

Z 

X 

U 

CO 

0 

H- 

1— 

0 

LU 

z 

UJ 

0 

UJ 

z 

to 

z 

< 

1— . 

LU 

— • 

< 

CO 

00 

CO 

2; 

LU 

U- 

H- 

H- 

t- 

CO 

UJ 

LU 

0 

00 

•— < 

CO 

< 

UJ 

/V 

Q 

CO 

Q 

LJ 

LU 

> 

00 

2Z 

0 

> 

f— 

q: 

y- 

z 

00 

LU 

> 

-J 

> 

CO 

Q. 

00 

LU 

ca 

QC 

K 

LL 

g: 

0 

< 

0 

UJ 

LU 

> 

Q 

z 

0 

c/) 

LU 

LU 

GC 

g: 

D 

cc 

00 

CO 

u. 

UJ 

a 

CL 

G. 

< 

c 

m 

• 

• 

• 

m 

«  ^  LU 

c:  CO  (_) 

o  2:  z: 

00  <  < 


CO  c: 


6.5  SUMMARY 


The  major  observation  derived  from  the  SREM  application  to  the  MCM 
DFSR  was  that  the  current  definition  of  RSL  and  REVS  was  adequate  in  scope 
and  flexibility  to  verify  all  stated  requirements.  Some  extensions  of  the 
language  were  found  appropriate  to  meet  certain  management  support  func¬ 
tions  (such  as  those  related  to  Trouble  Reports),  and  to  provide  certain 
RADX  documentation  to  produce  information  similar  to  that  presented  in 
Annexes  A,  B,  C,  and  D.  This  latter  extension  was  primarily  for  the 
purpose  of  illustrating  that  RSL  extension  can  provide  the  flexibility  to 
produce  information,  such  as  DATA  names,  in  various  contexts,  each  with 
their  own  particular  relationships  and  attributes.  Even  though  exact 
formats  cannot  currently  be  produced  directly  by  RADX  commands,  all  the 
relevent  information  can  be  provided,  as  illustrated  in  Appendix  3. 

As  has  been  experienced  on  previous  SREM  applications,  we  found  that 
RSL  forces  a  level  of  completeness  and  specificity  that  is  more  technically 
consistent  than  can  be  obtained  with  traditional  English  specifications, 
and  it  places  more  formality  and  discipline  into  the  requirements  develop¬ 
ment  activity  than  is  possible  with  a  manual  approach.  This  was  reflected 
in  this  verification  effort  by  the  high  quantity  of  deficiencies  found  in 
the  MCMs  DFSR.  The  added  effort  initially  required  with  SREM  will  be  more 
than  returned  during  the  software  design,  implementation,  and  test  phases, 
and  thus  reduce  the  total  cost  of  the  software  acquisition.  There  is  also 
a  body  of  opinion  that  the  cost  of  the  requirements  development  itself  may 
actually  be  less  expensive  when  SREM  is  applied  for  software  requirements 
develooment.  this  is  because  the  rapid,  consistent  printouts  reduce  the 
need  for  coordination  and  manual  consistency  checking,  and  the  methodology 
itself  efficiently  focuses  the  necessary  activities. 

REVS  contains  a  variety  of  user  functions  that  are  available  for  the 
sped  f'cafion,  analysis,  simulation,  and  documentation  of  software  require¬ 
ments.  All  of  these  functions,  except  the  simulation  function  (which  was 
not  required  under  this  contract)  were  exercised  during  the  REVS  applica¬ 
tion  to  the  MCM  DFSR.  Since  the  majority  of  the  options  of  each  function 
were  necessary  to  oevelop  and  state  the  MCM  DFSR  requirements,  this  effort 
provided  a  detailed  test.  As  in  previous  efforts,  it  was  found  that  cer¬ 
tain  enhancements  would  have  assisted  in  assuring  that  the  SREM  appl  ■'cation 


was  not  only  more  efficient,  but  also  more  understandable  for  the  software 
designer's  use. 

The  importance  of  utilizing  an  organized  approach  (a  methodology) 
with  the  supporting  automated  capability  to  check  the  consistency,  com¬ 
pleteness,  clarity,  logicalness,  testability,  and  traceability  cannot  be 
over-estimated.  The  need  to  attain  good  software  requirements  prior  to 
software  design  and  coding  is  understood  by  nearly  all  involved  in  data 
processing.  However,  it  is  only  recently  that  sufficient  interest  has  been 
demonstrated  to  cause  a  variety  of  software  engineering  tools  to  be 
developed  and  offered  to  the  community  for  use.  Based  on  the  assessment  of 
requirements  techniques  provided  in  Section  5,  we  believe  that  SREM  has  the 
best  overall  combination  of  capabilities  to  assure  a  positive  impact  in 
reducing  the  cost  and  risk  of  software  development. 


6-19 


6.6  RECOMMENDATIONS 


If  the  decision  is  made  to  implement  SREM  as  a  software  tool  within 
the  Army,  we  recommend  the  following; 

•  Consider  implementation  of  the  RSL/REVS  enhancements 
along  the  lines  mentioned  above. 

•  Develop  a  strategy  for  implementation  of  SREM  for 
software  requirements  development  and  verification  (or 
both)  including  the  necessary  means  to  enforce  its 
appl ication. 

•  Establish  a  plan  for  introduction  of  the  methodology  for 
both  practitioners  and  managers,  and  for  periodic  SREM 
application  training. 

•  Develop  the  capability  to  automatically  produce  software 
requirements  in  accordance  with  appropriate  Army  speci¬ 
fication  formats  via  RADX  from  a  requirements  data  base 
built  as  the  result  of  a  SREM  application,  using 
"specification  generators"  capability,  as  described 
earl ier . 

In  any  of  the  efforts  described  above,  the  Army  should  coordinate  its  SREM- 
related  efforts  with  BMDATC  and  with  the  U,  S.  Air  Force  at  Rome  Air 
Development  Center  (RAOC).  Both  of  these  agencies  are  involved  in  efforts 
of  related  interest. 

BMDATC  continues  to  investigate  advanced  technology  in  the  software 
area.  This  includes  considerations  of  Distributed  Data  Processing  (DDP), 
the  development  of  System  Software  Requirements  Engineering  Methodology 
(SSREM)  for  producing  the  system  level  software  requirement  f''cm  the  top 
level  system  specification  and  the  development  of  a  Software  Design 
Engineering  Methodology  (SDEM)  for  software  design.  These  last  two  will  be 
SREM-like  approaches  with  a  methodology,  a  specific  language,  and  a  set  of 
automated  tools  to  support  the  effort.  Both  will  be  integrated  with  SREM 
so  that  the  system  level  software  reouirements  data  base  createc  by  the 
SSREM  will  be  directly  useable  for  SREM  application  in  developing  the 
software  requirements  specification.  Similarly,  the  data  base  develooed 
during  the  application  of  SREM  will  feed  directly  into  the  SDEM  effort. 

When  completed,  an  integrated,  consistent  method  for  accomplishing  all  the 
engineering  effort  necessary  to  transit  from  the  System  Soeci fication  to 
the  point  of  coding  the  software  design  is  intended.  Consequently,  efforts 
in  these  areas  should  be  of  continuing  interest  during  their  development. 


6-20 


RADC  has  apparently  decided  to  use  SREM  as  a  standard  tool  for  the 

3 

development  of  C  I  systems  within  the  U.  S.  Air  Force.  They  have  recently 
issued  an  RFP,  the  objective  of  which  is  “to  develop  the  methodology, 
tools,  and  documentation  required  for  a  software  requirements  specification 
and  analysis  capability  which  can  generate  and  validate  a  formal  equivalent 
of  the  Computer  Development  Specification  (MIL-STD  490  type  B5)  as  used  in 
the  acquisition  of  computer  systems  embedded  within  Air  Force  C  I  systems". 
This  effort  will  provide  for  the  study  and  development  of  enhancements  to 
overcome  some  of  the  limitations  described  earlier  in  this  section.  It 
also  will  provide  for  improvements  to  the  methodology,  to  REVS  software, 
for  updating  the  existing  SREM  documentation ,  and  for  improving  the  educa¬ 
tional  materials  to  incorporate  the  enhancements  produced  under  the  con¬ 
tract.  Clearly,  a  harmonization  of  AIRMICS  efforts  with  those  of  the  Air 
Force  and  with  BMDATC  makes  good  economic  sense  for  all  concerned. 


7.0  REFERENCES 


1.  Alford,  M.  W.  and  Lawson,  J.  T.,  "Software  Requirements  Engineering 
Methodology  Development",  TRW  Report  32697-6921-0C2,  Huntsville, 
Alabama,  15  March  1979. 

2.  Alford,  M.  W.,  "Software  Requirements  Engineering  Methodology  (SREM) 
at  the  Age  of  Four",  COMPSAC  Proceedings,  pp  866-874. 

3.  "A  New  Approach  for  Software  Success",  TRW  Pamphlet,  Huntsville, 
Alabama,  undated. 

4.  Browne,  P.  H.,  Jr.,  Hitt,  G.  C.,  and  Smith,  R.  W.,  "Utilization  of 
SREM  in  IHAWK/TSQ-73  Requirements  Development",  TRW  Report 
27332-6921-034,  Huntsville,  Alabama,  September  1978. 

5.  Baker,  L.  et  al . ,  "Specification  Tools  Environment  Study",  TRW  Report 
35983-6921-002,  Huntsville,  Alabama,  19  December  1980. 

6.  "Detailed  Functional  System  Requirement  (DFSR)  -  Volume  IV,  Standard 
Army  Maintenance  System  (SAMS)  -  Retail  Level,  Maintenance  Operations 
Management  (MOM),  (SAMS-1)",  TM  38-L71-2,  United  States  Army  Logistic 
Center,  Ft.  Lee,  Virginia,  March  1979. 

7.  Oyer,  M.  E.,  et  al . ,  "REVS  Users  Manual,  SRE?  Final  Report  -  Volume 
H",  TRW  Report  27332-6921-06,  (With  Revisions  A  and  B),  Huntsville, 
Alabama,  1  August  1977. 

8.  Furbush,  W.  J.,  Alford,  M.  W.,  Boling,  L.  T.,  "Software  Engineering 
Systems  for  Distributed  Data  Processing",  TRW  Preliminary  Users 
Manual  36551-6921-008,  Huntsville,  Alabama,  11  February  1981. 

9.  Lawson,  J.  T.,  Gunther,  L.  J.,  Williams,  R.  L.,  "SREM  Development  for 
Navy  Business  Data  Processing",  TRW  Report  32620-6921-002, 

Huntsville,  Alabama,  September  1979. 

10.  Sims,  0.  M. ,  et  al . ,  "Advanced  Data  Processing  Concepts",  TRW  Report 
34673-6921-017,  Huntsville,  Alabama,  20  February  1981. 


7-1 


DATE 

FILMED 


DTIC 


